GrecianDelight

Rather Nasty Rootkit

71 posts in this topic

Download mbr.exe to your Desktop.

Doubleclick mbr.exe and follow prompts.

When mbr.exe is ready, it will create a log.

Copy and paste contents of that file to your next reply.

A command prompt window pops up for a split second and then closes.

Share this post


Link to post
Share on other sites

I see.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Share this post


Link to post
Share on other sites

DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by George A at 7:30:13.98 on Fri 02/18/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.4095.1078 [GMT -6:00]

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\Dwm.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\AIM\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\defrag.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k defragsvc
C:\Windows\system32\rundll32.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\mIRC\mirc.exe
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\splwow64.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\George A\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files (x86)\AIM Toolbar\aimtb.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
uRun: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US
mRun: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB-X64: {61539ECD-CC67-4437-A03C-9AACCBD14326} - No File
TB-X64: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
mRun-x64: [(Default)]

================= FIREFOX ===================

FF - ProfilePath - C:\Users\GEORGE~1\AppData\Roaming\Mozilla\Firefox\Profiles\7qgt8xo1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: C:\Users\George A\AppData\Roaming\Mozilla\Firefox\Profiles\7qgt8xo1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: C:\Program Files (x86)\Download Manager\npfpdlm.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: C:\Program Files (x86)\Opera\program\plugins\np_gp.dll
FF - plugin: C:\Users\George A\AppData\Roaming\Mozilla\Firefox\Profiles\7qgt8xo1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\Windows\System32\drivers\l160x64.sys [2009-6-24 58368]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);C:\Windows\System32\drivers\vrtaucbl.sys [2011-1-22 66728]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
R3 nvoclk64;NVIDIA Enthusiasts Platform KDM;C:\Windows\System32\drivers\nvoclk64.sys [2009-9-15 42088]
R3 ScreamBAudioSvc;ScreamBee Audio;C:\Windows\System32\drivers\ScreamingBAudio64.sys [2009-12-1 38992]
S3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;C:\Windows\System32\drivers\ATSwpWDF.sys [2009-12-3 716872]
S3 MEMSWEEP2;MEMSWEEP2;C:\Windows\System32\92E1.tmp [2011-2-2 6144]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\System32\drivers\WSDPrint.sys [2009-7-13 23040]
S3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-13 25088]

=============== Created Last 30 ================

2011-02-03 22:06:42 150520 ----a-w- C:\Windows\System32\drivers\dwprot.sys
2011-02-03 21:47:45 -------- d-----w- C:\Users\George A\DoctorWeb
2011-02-03 09:06:27 -------- d-----w- C:\Users\GEORGE~1\AppData\Local\Adobe
2011-02-03 08:40:34 34560 ----a-w- C:\Windows\SysWow64\drivers\Normandy.sys
2011-02-03 06:20:13 -------- d-s---w- C:\ComboFix
2011-02-03 06:16:27 20952 ----a-w- C:\Windows\SysWow64\drivers\mbam.sys
2011-02-03 06:08:02 -------- d-----w- C:\Users\GEORGE~1\AppData\Local\AIM
2011-02-03 06:07:59 -------- d-----w- C:\Users\GEORGE~1\AppData\Local\AOL
2011-02-03 04:59:39 6144 ------w- C:\Windows\System32\92E1.tmp
2011-02-03 00:01:38 -------- d-----w- C:\Users\GEORGE~1\AppData\Roaming\Malwarebytes
2011-02-03 00:01:35 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-02-03 00:01:34 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-02-03 00:01:31 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-02-03 00:01:31 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-02-02 20:58:08 98816 ----a-w- C:\Windows\sed.exe
2011-02-02 20:58:08 89088 ----a-w- C:\Windows\MBR.exe
2011-02-02 20:58:08 256512 ----a-w- C:\Windows\PEV.exe
2011-02-02 20:58:08 161792 ----a-w- C:\Windows\SWREG.exe
2011-02-01 00:01:49 6144 ------w- C:\Windows\System32\250F.tmp
2011-02-01 00:00:40 6144 ------w- C:\Windows\System32\193B.tmp
2011-02-01 00:00:28 -------- d-----w- C:\Program Files (x86)\Sophos
2011-01-31 23:41:05 37600 ----a-w- C:\Windows\SysWow64\Partizan.exe
2011-01-31 23:41:05 35816 ----a-w- C:\Windows\SysWow64\drivers\Partizan.sys
2011-01-31 23:41:00 2 --shatr- C:\Windows\winstart.bat
2011-01-31 23:40:55 12808 ----a-w- C:\Windows\SysWow64\drivers\UnHackMeDrv.sys
2011-01-31 23:40:52 -------- d-----w- C:\Program Files (x86)\UnHackMe
2011-01-31 18:39:37 -------- d-----w- C:\Users\GEORGE~1\AppData\Local\VS Revo Group
2011-01-31 18:34:48 -------- d-----w- C:\PROGRA~3\MFAData
2011-01-31 07:39:28 -------- d-----w- C:\PROGRA~3\pPnNkIk06510
2011-01-27 13:56:53 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-01-26 22:05:26 -------- d-----w- C:\Program Files (x86)\ESET
2011-01-26 02:55:10 614532 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2011-01-26 02:36:12 -------- d-----w- C:\Users\GEORGE~1\AppData\Roaming\Easeware
2011-01-22 07:23:42 66728 ----a-w- C:\Windows\System32\drivers\vrtaucbl.sys
2011-01-22 07:23:41 -------- d-----w- C:\Program Files\Virtual Audio Cable
2011-01-22 05:27:02 -------- d-----w- C:\Users\GEORGE~1\AppData\Roaming\Acoustica
2011-01-22 05:26:54 57344 ----a-w- C:\Windows\SysWow64\Wnaspint.dll
2011-01-22 05:26:43 -------- d-----w- C:\Program Files (x86)\Acoustica Shared Effects
2011-01-22 05:25:51 -------- d-----w- C:\Program Files (x86)\VST
2011-01-22 05:25:51 -------- d-----w- C:\Program Files (x86)\Acoustica Mixcraft 4
2011-01-22 05:25:51 -------- d-----w- C:\PROGRA~3\Acoustica
2011-01-22 05:10:38 -------- d-----w- C:\Program Files (x86)\AnalogX
2011-01-22 04:38:43 -------- d-----w- C:\Users\GEORGE~1\AppData\Roaming\Screaming Bee
2011-01-22 04:36:51 -------- d-----w- C:\Program Files (x86)\Screaming Bee

==================== Find3M ====================

2010-12-14 23:53:08 319488 ----a-w- C:\Windows\HideWin.exe

============= FINISH: 7:31:55.16 ===============

Share this post


Link to post
Share on other sites

Please download BlitzBlank and save it to your desktop.

Click OK at the warning (and take note of it, this is a VERY powerful tool!).

Click the Script tab and copy/paste the following text there:

DeleteFile:
C:\Windows\winstart.bat

DeleteFolder:
C:\ProgramData\pPnNkIk06510
C:\Program Files\pPnNkIk06510

Click Execute Now.

Your computer will need to reboot. When done, post me the log file created by Blitzblank.

Share this post


Link to post
Share on other sites

I went and looked manually at the ProgramData and Program Files folders. "pPnNkIk06510" exists in ProgramData, but not in Program Files. Should I remove the Program Files part of the script?

Share this post


Link to post
Share on other sites

Please try again:

DeleteFile:
C:\Windows\winstart.bat

DeleteFolder:
C:\Program Files (x86)\pPnNkIk06510
C:\ProgramData (x86)\pPnNkIk06510

Share this post


Link to post
Share on other sites

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :folderfind
    *pPnNkIk06510*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Share this post


Link to post
Share on other sites

Sorry about that, didn't notice the thread went to a 4th page. I kept refreshing the third page. XD

Here are the results:

SystemLook 04.09.10 by jpshortstuff
Log created at 13:08 on 19/02/2011 by George A
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== folderfind ==========

Searching for "*pPnNkIk06510*"
C:\ProgramData\pPnNkIk06510 d------ [07:39 31/01/2011]
C:\Users\All Users\pPnNkIk06510 d------ [07:39 31/01/2011]

-= EOF =-

Share this post


Link to post
Share on other sites

Don't be sorry, it's okay. B)

Please run BlitzBlank and then:

Click OK at the warning (and take note of it, this is a VERY powerful tool!).

Click the Script tab and copy/paste the following text there:

DeleteFile:
C:\Windows\winstart.bat

DeleteFolder:
C:\ProgramData\pPnNkIk06510
C:\Users\All Users\pPnNkIk06510

Click Execute Now.

Your computer will need to reboot. When done, post me the log file created by Blitzblank.

Share this post


Link to post
Share on other sites

Try with this one:

DeleteFile:
C:\Windows\winstart.bat

DeleteFolder:
C:\ProgramData\pPnNkIk06510

Share this post


Link to post
Share on other sites

I put DeleteFile: "C:\Users\All Users\pPnNkIk06510" in quotations just like that and it's working now. Apparently it wasn't reading the space in All Users properly.

Share this post


Link to post
Share on other sites

Hmm, it failed to execute, though. "Failed to execute, please make sure the application was started as an administrator". I closed the program and right clicked to make sure that it was "run as administrator" , and it still didn't work.

Share this post


Link to post
Share on other sites

Let's try with Avira Rescue Disk. Follow the instructions:

http://forum.avira.com/wbb/index.php?page=Thread&threadID=82163

Note: In Configuration tab, please check the folowing:

  • Select Scan all files
  • Select Try to repair infected files and Rename files, if they cannot be removed
  • Select Scan for dialers
  • Select Scan for joke programs (Jokes)
  • Select Scan for games
  • Select Scan for spyware (SPR)

Share this post


Link to post
Share on other sites

I had problems getting the Avira Rescue Disk to boot. Anyway, Borislav, thank you for all of your help. Last week I ordered a new hard drive (I didn't want to lose the information on the current drive and had nowhere to back it up to) and I've reinstalled my OS onto it. Luckily, I found a pretty decent deal on it. I think I'm just going to give up on this one, though. :\

Thank you again for all of your help,

George

Share this post


Link to post
Share on other sites

Glad we could help. :lol:

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.