I booted it up and found the install apparently did go through OK, over the existing data. There were a couple hours of Microsoft updates to deal with. I have had to tweak various drivers and settings, but I can't use FireFox or IE6, they continually crash after viewing just a few web pages. I finally decided to set up a new user acct with minimal settings, and at least I can work Firefox, but IE6 is still not working. But now I think the malware is still present, and GMER shows rootkits.
I have cleaned with TFC. I have backed up with ERUNT. I have tried twice to run OTL, but it keeps on crashing after running for almost 10 minutes, I even tried a third time to use OT Helper but it still crashed. I have run chkdsk. I scanned with MBAM which was freshly updated today. It found nothing.
Below are the MBAM log, GMER log and an MBR log.
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4042
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
4/27/2010 12:24:38
mbam-log-2010-04-27 (12-24-38).txt
Scan type: Quick scan
Objects scanned: 119914
Time elapsed: 9 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-27 10:17:34
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\fixer\LOCALS~1\Temp\ugldrpob.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF7A298AC]
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF7A29812]
---- Kernel code sections - GMER 1.0.15 ----
PAGE CLASSPNP.SYS!ClassInitialize + F4 F7D0342C 4 Bytes [60, 37, 40, 82]
PAGE CLASSPNP.SYS!ClassInitialize + FF F7D03437 4 Bytes [AC, F1, 3F, 82]
PAGE CLASSPNP.SYS!ClassInitialize + 10A F7D03442 4 Bytes [72, 37, 40, 82]
PAGE CLASSPNP.SYS!ClassInitialize + 111 F7D03449 4 Bytes [66, 37, 40, 82]
PAGE CLASSPNP.SYS!ClassInitialize + 118 F7D03450 4 Bytes [6C, 37, 40, 82]
PAGE ...
? C:\DOCUME~1\fixer\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[1556] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 013C2B7D
.text C:\WINDOWS\Explorer.EXE[1556] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 013C2B3A
.text C:\WINDOWS\Explorer.EXE[1556] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 013C2AFE
.text C:\WINDOWS\Explorer.EXE[1556] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 013C2AE3
.text C:\WINDOWS\Explorer.EXE[1556] WS2_32.dll!send 71AB4C27 5 Bytes JMP 013C296F
.text C:\WINDOWS\Explorer.EXE[1556] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 013C2A61
.text C:\WINDOWS\Explorer.EXE[1556] WS2_32.dll!recv 71AB676F 5 Bytes JMP 013C29A7
.text C:\WINDOWS\Explorer.EXE[1556] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 013C29DF
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 014D2B7D
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 014D2B3A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 014D2AFE
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 014D2AE3
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] WS2_32.dll!send 71AB4C27 5 Bytes JMP 014D296F
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 014D2A61
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] WS2_32.dll!recv 71AB676F 5 Bytes JMP 014D29A7
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 014D29DF
---- Devices - GMER 1.0.15 ----
Device \Driver\Cdrom \Device\CdRom0 82403760
Device \Driver\Cdrom \Device\CdRom0 823FF1AC
Device \Driver\Cdrom \Device\CdRom1 82403760
Device \Driver\Cdrom \Device\CdRom1 823FF1AC
Device \Driver\Disk \Device\Harddisk0\DR0 82403760
Device \Driver\Disk \Device\Harddisk0\DR0 823FF1AC
Device \Driver\Disk \Device\Harddisk1\DR4 82403760
Device \Driver\Disk \Device\Harddisk1\DR4 823FF1AC
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+8 82403760
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+8 823FF1AC
Device \Driver\Disk \Device\Harddisk2\DR5 82403760
Device \Driver\Disk \Device\Harddisk2\DR5 823FF1AC
Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+9 82403760
Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+9 823FF1AC
Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+a 82403760
Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+a 823FF1AC
Device \Driver\Disk \Device\Harddisk3\DR6 82403760
Device \Driver\Disk \Device\Harddisk3\DR6 823FF1AC
Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+b 82403760
Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+b 823FF1AC
Device \Driver\Disk \Device\Harddisk4\DR7 82403760
Device \Driver\Disk \Device\Harddisk4\DR7 823FF1AC
AttachedDevice \FileSystem\Fastfat \Fat VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)
---- Threads - GMER 1.0.15 ----
Thread System [4:1404] 8243A260
Thread System [4:1408] 82428280
Thread System [4:1412] 8246D910
Thread System [4:1416] 8240B610
Thread System [4:2540] 8243A260
Thread System [4:3096] 82428280
Thread System [4:3392] 8246D910
Thread System [4:300] 8240B610
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@DllName crypt32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Logoff ChainWlxLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@DllName cryptnet.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Logoff CryptnetWlxLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@DLLName cscdll.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logon WinlogonLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logoff WinlogonLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@ScreenSaver WinlogonScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Startup WinlogonStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Shutdown WinlogonShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@StartShell WinlogonStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@DllName %SystemRoot%\System32\dimsntfy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Startup WlDimsStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Shutdown WlDimsShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logon WlDimsLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logoff WlDimsLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@StartShell WlDimsStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Lock WlDimsLock
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Unlock WlDimsUnlock
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@DLLName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logon SCardStartCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logoff SCardStopCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Lock SCardSuspendCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Unlock SCardResumeCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Enabled 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@DllName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@StartShell SchedStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Logoff SchedEventLogOff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Logoff WLEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@DllName sclgntfy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@DLLName WlNotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Lock SensLockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logon SensLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logoff SensLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Safe 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@MaxWait 600
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartScreenSaver SensStartScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StopScreenSaver SensStopScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Startup SensStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Shutdown SensShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartShell SensStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@PostShell SensPostShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Disconnect SensDisconnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Reconnect SensReconnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Unlock SensUnlockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@DllName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logoff TSEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logon TSEventLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@PostShell TSEventPostShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Shutdown TSEventShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@StartShell TSEventStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Startup TSEventStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@MaxWait 600
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Reconnect TSEventReconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Disconnect TSEventDisconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@DLLName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logon RegisterTicketExpiredNotificationEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logoff UnregisterTicketExpiredNotificationEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Asynchronous 1
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 34: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 35: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0x12a18ac1 size 0x1ae
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
---- EOF - GMER 1.0.15 ----
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x82403766
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> 0x8243def0
Warning: possible MBR rootkit infection !
MBR rootkit code detected !
copy of MBR has been found in sector 37 !
malicious code @ sector 0x12a18ac1 size 0x1ae !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
PE file found in sector at 0x012A18AC1 !
Edited by clxskeeg, 28 April 2010 - 03:52 AM.