RootKit Found! Need assistance immediately!

Teimoshi · 09-21-2009, 10:35 PM

Avast has detected rootkit activity.

This is the name of the virus.

Win32:Alureon-CY

At first when I would attempt to fix it via Avast, it said something about not being able to access it, saying that "maximum number of secrets on a single system could not be executed" or something like that. Also the splash screen said that the memory was infected.

I immediately switched over to safe mode... the detection screen wouldn't go away long enough for me to figure it out. I was able to get the logs for DDS and Attach.

During my first attempt to run GMer, the computer had rebooted on me. After that, I had tried a few more tries each time saying that the program must be terminated. Finally, it said that there was a system modification and the scan would abort. I would try to save what I have into a log, but it wouldn't let me.

When I try clicking GMer again to open it, I get a message saying, CreateFile, "C:\Users\Tim\AppData\Local\Temp\pwldipow.sys": The disk structure is corrupted and unreadable.

I click ok and the program opens. This may be redundant, but when I scan after all that, that system mod mesage comes up. And I can't save what I have.

DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Tim at 22:50:34.06 on Mon 09/21/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2036.1335 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Tim\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.speedbit.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe"
uRun: [BitTorrent DNA] "c:\users\tim\program files\dna\btdna.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SpeedBitVideoAccelerator] c:\program files\speedbit video accelerator\VideoAccelerator.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\tim\appdata\roaming\micros~1\windows\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\tim\appdata\roaming\mozilla\firefox\profiles\69ufestr.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\tim\appdata\roaming\mozilla\firefox\profiles\69ufestr.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\users\tim\appdata\roaming\mozilla\firefox\profiles\69ufestr.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\itunes\mozilla plugins\npitunes (2).dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\users\tim\appdata\roaming\mozilla\firefox\profiles\69ufestr.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\users\tim\appdata\roaming\mozilla\firefox\profiles\69ufestr.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\tim\appdata\roaming\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\users\tim\program files\dna\plugins\npbtdna.dll

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-8-16 114768]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2009-9-12 77824]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-16 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-8-16 53328]
S2 gupdate1c999607881732f;Google Update Service (gupdate1c999607881732f);c:\program files\google\update\GoogleUpdate.exe [2009-2-27 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-9-20 210216]

=============== Created Last 30 ================

2009-09-21 22:21 1,483 a------- C:\Windows Police Pro.lnk
2009-09-21 22:21 <DIR> --d----- C:\Windows Police Pro
2009-09-21 22:20 <DIR> --d----- c:\program files\Windows Police Pro
2009-09-21 15:42 <DIR> --d----- c:\program files\common files\McAfee
2009-09-19 02:19 2,560 a------- c:\windows\_MSRSTRT.EXE
2009-09-12 18:47 <DIR> --d----- c:\programdata\NOS
2009-09-12 18:46 <DIR> --d----- c:\windows\Panther
2009-09-12 18:46 228,224 a------- c:\windows\system32\drivers\e1e6032.sys
2009-09-12 18:46 179,048 a------- c:\windows\system32\e1000msg.dll
2009-09-12 18:46 154,496 a------- c:\windows\system32\Prounstl.exe
2009-09-12 18:46 39,288 a------- c:\windows\system32\NicInE6.dll
2009-09-12 18:46 28,536 a------- c:\windows\system32\NicCo6.dll
2009-09-12 18:46 2,689 a------- c:\windows\system32\e1e6032.din
2009-09-12 18:43 22 a---h--- c:\windows\dell_version
2009-09-12 18:43 <DIR> --d----- c:\windows\system32\OEM
2009-09-12 18:35 <DIR> --d-h--- C:\$WINDOWS.~Q
2009-09-12 18:31 <DIR> --d-h--- C:\$INPLACE.~TR
2009-09-12 18:26 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-09-12 18:26 26,600 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-12 18:25 <DIR> --d----- c:\program files\iPod
2009-09-12 18:25 <DIR> --d----- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-12 18:25 <DIR> --d----- c:\progra~2\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-12 16:18 21,316 a------- c:\windows\system32\emptyregdb.dat
2009-09-12 15:55 <DIR> --d----- c:\users\Tim
2009-09-12 15:53 <DIR> --d----- c:\windows\system32\RTCOM
2009-09-12 15:24 8,192 a--s-r-- C:\BOOTSECT.BAK
2009-09-12 14:50 1,887 a------- c:\windows\diagwrn.xml
2009-09-12 14:50 1,887 a------- c:\windows\diagerr.xml
2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-09-12 18:18 86,016 a------- c:\windows\inf\infstor.dat
2009-09-12 18:18 51,200 a------- c:\windows\inf\infpub.dat
2009-09-12 18:18 86,016 a------- c:\windows\inf\infstrng.dat
2009-08-23 03:09 229,376 a------- c:\windows\PEV.exe
2009-08-17 11:05 53,328 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-08-05 22:08 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-28 13:35 61,224 a------- c:\users\tim\GoToAssistDownloadHelper.exe
2009-03-20 11:06 34 a------- c:\users\tim\jagex_runescape_preferences.dat
2008-01-20 21:57 174 a--sh--- c:\program files\desktop.ini
2008-01-20 21:43 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-07-21 14:08 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 22:52:09.41 ===============

Teimoshi · 09-22-2009, 02:45 PM

It has gotten worse... a lot worse. Earlier I went to check my post here for updates, but it said that Firefox was already running. I figured it'd go away after awhile. So I went to watch a movie. When I came back, I still got the same message, so I decided to restart the computer. Well I did, and now it says "Missing Operating System," and it is now completely unuseable until I get this fixed. If I get it fixed... I remember reading in another thread that if I get such a message, that I should just get a new computer altogether, which is not an option for me. Please send reinforcements.

Teimoshi · 09-26-2009, 11:53 AM

sorry, but... bump.

Ried · 09-26-2009, 10:41 PM

Hello Teimoshi,

Quote:

so I decided to restart the computer. Well I did, and now it says "Missing Operating System," and it is now completely unuseable until I get this fixed.

Sadly, that message means exactly what it says. Your OS is gone, and you'll have to reinstall Vista. If you had files, documents, etc., you can try slaving the hard drive to another computer and use a data recovery program to try to salvage them.

Teimoshi · 09-27-2009, 11:35 AM

so then how do i do that? when i start it up i get the splash screen and then that message comes up. i can get the setup and boot menu and i steer clear from that. i need instruction in this

Ried · 09-27-2009, 05:40 PM

To reinstall Vista, you need to have the Vista install disc. Do you have one?

Teimoshi · 09-28-2009, 01:51 PM

of course i do. problem is how to get it running without an OS.

Ried · 09-28-2009, 03:41 PM

It will work the same as a fresh install. Insert the install disc, then boot from that install disc.

Teimoshi · 09-28-2009, 08:40 PM

installation complete. but i have shut down just in case the virus is still there. it should'nt though since this is a clean slate. but i wanna doublecheck with you just in case.

Ried · 09-28-2009, 08:42 PM

That's correct, it should not survive a reformat and fresh install. Please run the 2 tools listed in our our sticky topic New Instructions - Read This Before Posting for Malware Removal Help and post the requested logs in your next reply. I'd be happy to look them over for you.

Teimoshi · 09-28-2009, 09:55 PM

Here you go. Although, I'd probably feel better once I get some security programs downloaded. lol

DDS (Ver_09-09-29.01) - NTFSx86
Run by Tim Colvin at 22:39:03.85 on Mon 09/28/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2036.1478 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Tim Colvin\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg311v3\wlancfg5.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-09-28 22:28 <DIR> --d----- C:\OEMSettings
2009-09-28 22:28 <DIR> --d----- c:\program files\NETGEAR
2009-09-28 22:27 <DIR> --dsh--- c:\windows\Installer
2009-09-28 22:27 <DIR> --d----- c:\windows\Downloaded Installations
2009-09-28 21:30 <DIR> --d----- c:\users\Tim Colvin

==================== Find3M ====================

2008-01-20 21:57 174 a--sh--- c:\program files\desktop.ini
2008-01-20 21:56 86,016 a------- c:\windows\inf\infstrng.dat
2008-01-20 21:56 86,016 a------- c:\windows\inf\infstor.dat
2008-01-20 21:56 51,200 a------- c:\windows\inf\infpub.dat
2008-01-20 21:43 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 22:39:37.86 ===============

Ried · 09-28-2009, 10:03 PM

The log looks clean.

And yes, by all means install an Anti Virus program.

If you are in need of one, Avast has a very good free AV.

Teimoshi · 09-29-2009, 08:23 PM

Sound doesn't seem to work. Sometimes I don't get any sound when in YouTube, but it comes back when I restart the computer. But this time it didn't. The device manager says its working ok and there's something about a SM Bus Drive not being installed. Haven't messed with that though, as I don't know what it pertains to and what it does. Also the size proportions are a bit off on my screen. My resolutions should include 1440 x 900, which isn't listed.

Ried · 09-30-2009, 06:40 AM

Those problems are driver related, and you would be better served discussing how to remedy these problems, with the folks in our Vista / Microsoft 7 Support section.

09-22-2009, 02:45 PM	#2 (permalink)
Teimoshi Registered User Join Date: Mar 2009 Posts: 47 OS: Windows Vista Home Basic Service Pack 2	Re: RootKit Found! Need assistance immediately! It has gotten worse... a lot worse. Earlier I went to check my post here for updates, but it said that Firefox was already running. I figured it'd go away after awhile. So I went to watch a movie. When I came back, I still got the same message, so I decided to restart the computer. Well I did, and now it says "Missing Operating System," and it is now completely unuseable until I get this fixed. If I get it fixed... I remember reading in another thread that if I get such a message, that I should just get a new computer altogether, which is not an option for me. Please send reinforcements.

09-26-2009, 11:53 AM	#3 (permalink)
Teimoshi Registered User Join Date: Mar 2009 Posts: 47 OS: Windows Vista Home Basic Service Pack 2	Re: RootKit Found! Need assistance immediately! sorry, but... bump.

09-27-2009, 11:35 AM	#5 (permalink)
Teimoshi Registered User Join Date: Mar 2009 Posts: 47 OS: Windows Vista Home Basic Service Pack 2	Re: RootKit Found! Need assistance immediately! so then how do i do that? when i start it up i get the splash screen and then that message comes up. i can get the setup and boot menu and i steer clear from that. i need instruction in this

09-27-2009, 05:40 PM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,938 OS: WinXP and Vista	Re: RootKit Found! Need assistance immediately! To reinstall Vista, you need to have the Vista install disc. Do you have one? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

09-28-2009, 01:51 PM	#7 (permalink)
Teimoshi Registered User Join Date: Mar 2009 Posts: 47 OS: Windows Vista Home Basic Service Pack 2	Re: RootKit Found! Need assistance immediately! of course i do. problem is how to get it running without an OS.

09-28-2009, 03:41 PM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,938 OS: WinXP and Vista	Re: RootKit Found! Need assistance immediately! It will work the same as a fresh install. Insert the install disc, then boot from that install disc. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

09-28-2009, 08:40 PM	#9 (permalink)
Teimoshi Registered User Join Date: Mar 2009 Posts: 47 OS: Windows Vista Home Basic Service Pack 2	Re: RootKit Found! Need assistance immediately! installation complete. but i have shut down just in case the virus is still there. it should'nt though since this is a clean slate. but i wanna doublecheck with you just in case.

09-28-2009, 08:42 PM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,938 OS: WinXP and Vista	Re: RootKit Found! Need assistance immediately! That's correct, it should not survive a reformat and fresh install. Please run the 2 tools listed in our our sticky topic New Instructions - Read This Before Posting for Malware Removal Help and post the requested logs in your next reply. I'd be happy to look them over for you. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

09-28-2009, 10:03 PM	#12 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,938 OS: WinXP and Vista	Re: RootKit Found! Need assistance immediately! The log looks clean. And yes, by all means install an Anti Virus program. If you are in need of one, Avast has a very good free AV. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

09-29-2009, 08:23 PM	#13 (permalink)
Teimoshi Registered User Join Date: Mar 2009 Posts: 47 OS: Windows Vista Home Basic Service Pack 2	Re: RootKit Found! Need assistance immediately! Sound doesn't seem to work. Sometimes I don't get any sound when in YouTube, but it comes back when I restart the computer. But this time it didn't. The device manager says its working ok and there's something about a SM Bus Drive not being installed. Haven't messed with that though, as I don't know what it pertains to and what it does. Also the size proportions are a bit off on my screen. My resolutions should include 1440 x 900, which isn't listed.

09-30-2009, 06:40 AM	#14 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,938 OS: WinXP and Vista	Re: RootKit Found! Need assistance immediately! Those problems are driver related, and you would be better served discussing how to remedy these problems, with the folks in our Vista / Microsoft 7 Support section. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."