HDD rootkit ?

View previous topic View next topic Go down

HDD rootkit ?

Post by nisirius on Tue Sep 13, 2011 6:45 pm

OS is Windows 7 Ultimate Service Pack 1. When I start the laptop - Lenovo G560, I get a black screen. To start, I must go into boot manager and select Network Boot: pci legacy device, and a black window with text: intel undi, PXE-2.1 (build 083 ), PXE-E53 : no boot file received. After, the window with user name and password appears, inside box for user name automatically appears \\\\\\\\. I tried several versions of antivirus... but either blocks or tabs *. exe.disappear. All folders come and go when they want and can not change read only attribute. I know I have a problem when installing windows (icon = setup.exe, 0). My HDD have 500 GB and the lowered window and shows me that has 450 gb (50 gb have disappeared).I have problems with any software download or installed . I can not run any *. exe or *. com command I noticed that I have a virus e-mail (I have a static IP and my provider not gave me any e-mail box, I haven't e-mail) and a virus "search_html". I installed GMER and I look - rootkit / malware: attachedDevice, name: \filesystem\fastfat\Fat , value : fltrmgr.sys. Cannot create directory. I tried to install Windows XP 2 or 3, but I could not : pagefile.sys error occurs and Usbehci.sys error, and setup stop.



Last edited by nisirius on Thu Sep 15, 2011 8:29 am; edited 1 time in total

nisirius
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2011-09-05
OS OS : windows 7 ultimate
Points Points : 19213
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HDD rootkit ?

Post by Dr Jay on Wed Sep 14, 2011 11:54 am

Please visit this webpage for a tutorial on downloading and running ComboFix:

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: HDD rootkit ?

Post by nisirius on Mon Sep 19, 2011 8:30 am

[You must be registered and logged in to see this link.] wrote:OS is Windows 7 Ultimate Service Pack 1. When I start the laptop - Lenovo G560, I get a black screen. To start, I must go into boot manager and select Network Boot: pci legacy device, and a black window with text: intel undi, PXE-2.1 (build 083 ), PXE-E53 : no boot file received. After, the window with user name and password appears, inside box for user name automatically appears \\\\\\\\. I tried several versions of antivirus... but either blocks or tabs *. exe.disappear. All folders come and go when they want and can not change read only attribute. I know I have a problem when installing windows (icon = setup.exe, 0). My HDD have 500 GB and the lowered window and shows me that has 450 gb (50 gb have disappeared).I have problems with any software download or installed . I can not run any *. exe or *. com command I noticed that I have a virus e-mail (I have a static IP and my provider not gave me any e-mail box, I haven't e-mail) and a virus "search_html". I installed GMER and I look - rootkit / malware: attachedDevice, name: \filesystem\fastfat\Fat , value : fltrmgr.sys. Cannot create directory. I tried to install Windows XP 2 or 3, but I could not : pagefile.sys error occurs and Usbehci.sys error, and setup stop.


nisirius
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2011-09-05
OS OS : windows 7 ultimate
Points Points : 19213
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HDD rootkit ?

Post by Dr Jay on Mon Sep 19, 2011 5:42 pm

Please download aswMBR from [You must be registered and logged in to see this link.]


  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below




Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are [You must be registered and logged in to see this link.]


  • Once the scan finishes click Save log to save the log to your Desktop


  • Copy and paste the contents of aswMBR.txt back here for review


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: HDD rootkit ?

Post by nisirius on Tue Sep 20, 2011 8:29 am

Thanks for your time and attention given to me!

I downloaded and ssd.scr and dds.pif. I opened dds.scr,
the program ran but could not save himself the two tabs
(dds.txt and attach.txt), I get the bug and I immediately
saved when the program showed that saves a log.file. Moreover
program has not done ...
With dds.pif can not run the program downloaded to the desktop
appears as a shortcut file (not program),and for properties shows me:
"Can not query the properties for this program , There May Not Be Enough
memory available, one or more exit Programs, and try again "...
Finally, besides all the crap made by windows, spyhunter shows me that he
found trojan.boupke.gen!A Of which try to clean it ...The key \ makes me crazy ...
Now, it appears to infinity in the search box in the home program and also in
the search box in Internet Explorer page, in any program shortcut properties box
to "target".
Madness disappears after about 5 minutes every time when I start the laptop...



DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514
Run by abcde at 12:19:04 on 2011-09-21
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1911.1252 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\SDistTest\SDistTestSvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\CleanMyPC\Registry Cleaner\RCleaner.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GR469A~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Registry Cleaner] "c:\program files\cleanmypc\registry cleaner\RCHelper.exe" /startup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{86E0A18D-5E53-4584-A883-6C2A78327D03} : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GRA32A~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GR469A~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2011-9-21 32008]
R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2011-9-21 76696]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2011-9-21 6416120]
R2 SDisTestService;SpybotSnD Distributed Testing;c:\program files\sdisttest\SDistTestSvc.exe [2011-9-17 907680]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2011-9-8 736672]
R3 esgiguard;esgiguard;c:\program files\enigma software group\spyhunter\esgiguard.sys [2011-5-6 13904]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2011-9-21 26096]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-17 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-17 136176]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-20 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
S3 WBQSUQ;WBQSUQ;c:\users\abcde\appdata\local\temp\wbqsuq.exe --> c:\users\abcde\appdata\local\temp\WBQSUQ.exe [?]
S3 wsvd;wsvd;c:\windows\system32\drivers\wsvd.sys [2009-7-21 81704]
.
=============== File Associations ===============
.
regfile\shell\edit\command=%SystemRoot%\system32\notepad.exe "%1"
.
=============== Created Last 30 ================
.
2011-09-21 16:08:00 -------- d-----w- c:\users\abcde\appdata\roaming\CleanMyPC Software
2011-09-21 16:07:22 -------- d---a-w- c:\program files\CleanMyPC
2011-09-21 16:03:38 110080 ----a-r- c:\users\abcde\appdata\roaming\microsoft\installer\{d3f93a5a-7a5d-4867-b2a1-6f46500d006c}\IconF7A21AF7.exe
2011-09-21 16:03:38 110080 ----a-r- c:\users\abcde\appdata\roaming\microsoft\installer\{d3f93a5a-7a5d-4867-b2a1-6f46500d006c}\IconD7F16134.exe
2011-09-21 16:03:38 110080 ----a-r- c:\users\abcde\appdata\roaming\microsoft\installer\{d3f93a5a-7a5d-4867-b2a1-6f46500d006c}\IconCF33A0CE.exe
2011-09-21 16:03:14 -------- d-----w- c:\windows\D3F93A5A7A5D4867B2A16F46500D006C.TMP
2011-09-21 16:00:27 -------- d-----w- c:\windows\system32\appmgmt
2011-09-21 14:30:08 76696 ----a-w- c:\windows\system32\drivers\pxrts.sys
2011-09-21 14:30:08 71880 ----a-w- c:\windows\system32\PxSecure.dll
2011-09-21 14:30:08 32008 ----a-w- c:\windows\system32\drivers\pxscan.sys
2011-09-21 14:30:07 26096 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2011-09-21 14:30:07 -------- d-----w- c:\program files\Prevx
2011-09-21 14:30:00 -------- d-----w- c:\programdata\PrevxCSI
2011-09-20 17:46:19 -------- d-----w- c:\users\abcde\appdata\local\Adobe
2011-09-20 05:20:47 185344 ----a-w- c:\windows\system32\drivers\KeDetective130.sys
2011-09-20 04:26:21 -------- d-----w- c:\users\abcde\appdata\roaming\ETI Ltd
2011-09-19 18:02:04 -------- d-sh--w- C:\$RECYCLE.BIN
2011-09-19 18:02:02 -------- d-----w- c:\users\abcde\appdata\local\temp
2011-09-19 17:56:50 98816 ----a-w- c:\windows\sed.exe
2011-09-19 17:56:50 518144 ----a-w- c:\windows\SWREG.exe
2011-09-19 17:56:50 256000 ----a-w- c:\windows\PEV.exe
2011-09-19 17:56:50 208896 ----a-w- c:\windows\MBR.exe
2011-09-18 18:58:28 -------- d-----w- c:\users\abcde\My Others
2011-09-18 18:57:26 -------- d-----w- C:\Lenovo
2011-09-18 18:38:46 -------- d---a-w- c:\program files\Lenovo
2011-09-18 18:37:47 -------- d-----w- C:\Drivers
2011-09-18 17:52:46 -------- d-----w- c:\users\abcde\appdata\roaming\RegGenie
2011-09-18 11:03:12 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2011-09-18 11:03:12 32592 ----a-w- c:\windows\system32\msonpmon.dll
2011-09-18 11:01:52 -------- d-----w- c:\windows\PCHEALTH
2011-09-18 11:00:45 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-09-18 11:00:05 -------- d-----w- c:\users\abcde\appdata\local\Microsoft Help
2011-09-18 10:50:24 -------- d-----w- c:\users\abcde\appdata\local\eBook Reader
2011-09-18 10:50:01 -------- d-----w- c:\users\abcde\appdata\local\Google Translator
2011-09-18 10:30:34 -------- d-----w- c:\users\abcde\appdata\local\Opera
2011-09-18 08:41:12 -------- d-----w- c:\windows\msdownld.tmp
2011-09-18 08:41:09 -------- d---a-w- c:\windows\system32\directx
2011-09-18 05:56:18 -------- d---a-w- c:\program files\SDistTest
2011-09-18 04:37:28 -------- d---a-w- c:\users\abcde\appdata\local\ETI Ltd
2011-09-18 04:36:43 -------- d---a-w- c:\program files\ETI Ltd
2011-09-18 04:21:06 -------- d---a-w- c:\users\abcde\appdata\roaming\ParetoLogic
2011-09-18 04:21:06 -------- d---a-w- c:\users\abcde\appdata\roaming\DriverCure
2011-09-18 04:19:42 -------- d-----w- c:\programdata\ParetoLogic
2011-09-17 20:19:02 -------- d---a-w- c:\users\abcde\appdata\local\Diagnostics
2011-09-17 16:09:34 -------- d-----w- c:\windows\Panther
2011-09-17 15:56:57 -------- d---a-w- C:\WINNT
2011-09-17 15:56:35 -------- d-----w- C:\Boot
2011-09-17 15:55:38 -------- d---a-w- C:\Program1
2011-09-17 15:55:38 -------- d-----w- C:\Files
2011-09-17 09:58:50 -------- d---a-w- c:\users\abcde\en-US
2011-09-17 08:45:37 50688 ----a-w- c:\windows\system32\hmmapi.dll
2011-09-17 08:26:21 145408 ----a-w- c:\windows\system32\ExtExport.exe
2011-09-17 07:19:09 -------- d---a-w- c:\program files\Enigma Software Group
2011-09-17 07:19:09 -------- d-----w- C:\sh4ldr
2011-09-17 07:18:45 -------- d-----w- c:\windows\820C0EEB9B124AD5B39DD15ED1DBDD06.TMP
2011-09-17 07:18:44 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-09-17 07:02:59 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-17 07:02:49 -------- d-sh--w- c:\windows\Installer
2011-09-17 07:02:44 -------- d---a-w- c:\users\abcde\appdata\local\Google
2011-09-17 07:01:22 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9d2e37eb-8fc6-4d67-b9c2-0b444485b7b2}\mpengine.dll
2011-09-17 07:01:21 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2011-09-17 06:53:37 -------- d---a-w- C:\Documents and Settings
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, [You must be registered and logged in to see this link.]
Windows 6.1.7601
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
1 ntkrnlpa!IofCallDriver[0x8286E52F] -> \Device\Harddisk0\DR0[0x855AD030]
3 CLASSPNP[0x885A159E] -> ntkrnlpa!IofCallDriver[0x8286E52F] -> \Device\Ide\IdeDeviceP0T0L0-0[0x847B1908]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user != kernel MBR !!!
.
============= FINISH: 12:19:18.67 ===============
***************************************************************************************
***************************************************************************************


Attach.txt


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 9/17/2011 8:21:43 AM
System Uptime: 9/21/2011 10:28:12 AM (2 hours ago)
.
Motherboard: LENOVO | | Base Board Product Name
Processor: Intel(R) Pentium(R) CPU P6100 @ 2.00GHz | CPU | 1999/1066mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 446.018 GiB free.
D: is CDROM (UDF)
E: is Removable
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_8086&DEV_3B64&SUBSYS_38A517AA&REV_06\3&11583659&0&B0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_8086&DEV_3B64&SUBSYS_38A517AA&REV_06\3&11583659&0&B0
Service:
.
Class GUID:
Description:
Device ID: ACPI\VPC2004\0
Manufacturer:
Name:
PNP Device ID: ACPI\VPC2004\0
Service:
.
Class GUID:
Description: Network Controller
Device ID: PCI\VEN_14E4&DEV_4727&SUBSYS_051014E4&REV_01\4&C74C28E&0&00E1
Manufacturer:
Name: Network Controller
PNP Device ID: PCI\VEN_14E4&DEV_4727&SUBSYS_051014E4&REV_01\4&C74C28E&0&00E1
Service:
.
==== System Restore Points ===================
.
RP3: 9/17/2011 12:01:07 AM - Windows Update
RP4: 9/17/2011 12:05:02 AM - Installed Adobe Reader X (10.1.0).
RP5: 9/17/2011 12:18:48 AM - Installed SpyHunter
RP6: 9/17/2011 9:31:06 PM - Windows Update
RP7: 9/17/2011 9:36:30 PM - Installed Data Temperature Recorder
RP9: 9/18/2011 3:59:01 AM - Installed Microsoft Office Enterprise 2007
RP10: 9/18/2011 9:53:18 AM - OTL Restore Point - 9/18/2011 9:53:17 AM
RP12: 9/18/2011 10:47:03 AM - RegGenie Safe Scan Backup
RP14: 9/18/2011 10:48:44 AM - RegGenie Safe Scan Backup
RP16: 9/18/2011 11:38:03 AM - Installed OneKey Recovery
RP17: 9/18/2011 11:55:39 AM - Installed Lenovo DirectShare
RP18: 9/19/2011 11:19:29 AM - OTL Restore Point - 9/19/2011 11:19:28 AM
RP20: 9/19/2011 9:21:53 PM - Windows Defender Checkpoint
RP21: 9/19/2011 9:26:50 PM - Installed Lenovo DirectShare
RP22: 9/21/2011 8:58:08 AM - Installed SpyHunter
RP23: 9/21/2011 8:59:07 AM - Removed SpyHunter
RP24: 9/21/2011 9:03:16 AM - Installed SpyHunter
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.1)
CleanMyPC - Registry Cleaner
Data Temperature Recorder
eBook Reader
Google Chrome
Google Toolbar for Internet Explorer
Google Translator
Google Update Helper
Lenovo DirectShare
Lenovo OneKey Recovery
Microsoft .NET Framework 4 Client Profile
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Opera 11.51
Prevx
Spybot-S&D Distributed Testing Client
SpyHunter
.
==== Event Viewer Messages From Past Week ========
.
9/21/2011 8:42:38 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: An instance of the service is already running.
9/21/2011 8:42:08 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
9/21/2011 8:42:08 AM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
9/19/2011 9:05:00 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the WBQSUQ service to connect.
9/19/2011 9:05:00 AM, Error: Service Control Manager [7000] - The WBQSUQ service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/19/2011 9:04:30 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the KWASLJRGGYEX service to connect.
9/19/2011 9:04:30 AM, Error: Service Control Manager [7000] - The KWASLJRGGYEX service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/19/2011 9:03:59 AM, Error: Service Control Manager [7030] - The WBQSUQ service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
9/19/2011 9:03:59 AM, Error: Service Control Manager [7030] - The KWASLJRGGYEX service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
9/19/2011 9:03:59 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the UBOJFGWD service to connect.
9/19/2011 9:03:59 AM, Error: Service Control Manager [7000] - The UBOJFGWD service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/19/2011 9:03:29 AM, Error: Service Control Manager [7030] - The UBOJFGWD service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
9/19/2011 11:00:45 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
9/19/2011 10:56:40 AM, Error: Service Control Manager [7034] - The SpyHunter 4 Service service terminated unexpectedly. It has done this 1 time(s).
9/18/2011 9:35:29 AM, Error: Service Control Manager [7001] - The Task Scheduler service depends on the Windows Event Log service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
9/18/2011 10:41:06 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001a (0x00041790, 0xc0802846, 0x00003d00, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 091811-14617-01.
.
==== End Of File ===========================


Last edited by nisirius on Wed Sep 21, 2011 11:04 am; edited 1 time in total

nisirius
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2011-09-05
OS OS : windows 7 ultimate
Points Points : 19213
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HDD rootkit ?

Post by Dr Jay on Tue Sep 20, 2011 4:14 pm

Please download DDS by sUBs from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.] and save it to your Desktop.

Note: Before scanning, make sure all other running programs are closed. There shouldn't be any scheduled antivirus scans running while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click Yes to the Optional_Scan
  • Please follow the instructions that pop up for posting the results. Post only the contents of both logs. There is no way to attach.
  • Close the program window, and delete the program from your Desktop.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum