MBR : \.\\PHYSICALDRIVE0\PARTITION2

[willo.c]

Jeff,

i deleted the small partition... Now everything is OK!!!
Avast don't find anything.. Even Malwarebytes don't find anything..

Thanks a lot!!

Is there something i can do to prevent any other rootkit?

[jeffce]

Oh now stay with me...there was more on your system than just that.

Were you able to get aswMBR to run?  If so please post that log.  I want to make sure your system is on the up-and-up. 

[willo.c]

 

You were right..

Now the process Services.exe is running on my CPU over 90%..

But i'm able to run aswMBR.. I'm going to post the log when it finishes the scan..

[willo.c]

Here the log of aswMBR..

I run it on Safe mode..

[jeffce]

Hi,

Please download TDSSKiller.zip

• Extract it to your desktop
• Double click TDSSKiller.exe
  
• when the window opens, click on Change Parameters
  
• under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  
• click OK
  
• Press Start Scan
  
  • Only if Malicious objects are found then ensure Cure is selected
    
  • Then click Continue > Reboot now
    
• Copy and paste the log in your next reply
• A copy of the log will be saved automatically to the root of the drive (typically C:\)
  

----------

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.[color="red"]Do not mouse-click Combofix's window while it is running. That may cause it to stall.[/color]
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------

In your next reply please post the logs made by TDSSKiller and ComboFix.  :)

[willo.c]

Jeff,

again done them in Safe Mode..

Attached the logs..

[jeffce]

Hi willo.c,

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click  VirusTotal

copy and paste the following into the upload a file box  (one at a time if more than one file is listed)

c:\windows\system32\Smab0.dll
c:\windows\system32\VistaUltm.dll


scroll down a bit and click "send file", wait for the results and attach them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------

[willo.c]

Jeff,

i'm going to do the next step in 40 minutes..

[jeffce]

That is fine.  No hurry.

[willo.c]

I analysed the files, but i did not find the button -send file-, so..

SHA256:    d4ceed9eeecab9ec14b0bbe3bff53285719295d2c6ba235496c7526890b0a6d2
File name:    Smab0.dll
Detection ratio:    2 / 42
Analysis date:    2012-03-27 13:21:35 UTC ( 1 settimana ago )
0
0
Antivirus    Result    Update
AhnLab-V3    -    20120326
AntiVir    -    20120327
Antiy-AVL    -    20120327
Avast    -    20120327
AVG    -    20120327
BitDefender    -    20120327
ByteHero    -    20120327
CAT-QuickHeal    -    20120327
ClamAV    PUA.Packed.PECompact-1    20120327
Commtouch    -    20120327
Comodo    -    20120327
DrWeb    -    20120327
Emsisoft    -    20120327
eSafe    Suspicious File    20120326
eTrust-Vet    -    20120327
F-Prot    -    20120327
F-Secure    -    20120327
Fortinet    -    20120327
GData    -    20120327
Ikarus    -    20120327
Jiangmin    -    20120326
K7AntiVirus    -    20120326
Kaspersky    -    20120327
McAfee    -    20120327
McAfee-GW-Edition    -    20120327
Microsoft    -    20120327
NOD32    -    20120327
Norman    -    20120327
nProtect    -    20120327
Panda    -    20120327
PCTools    -    20120326
Rising    -    20120327
Sophos    -    20120327
SUPERAntiSpyware    -    20120323
Symantec    -    20120327
TheHacker    -    20120326
TrendMicro    -    20120327
TrendMicro-HouseCall    -    20120327
VBA32    -    20120327
VIPRE    -    20120327
ViRobot    -    20120327
VirusBuster    -    20120323




SHA256:    87f87804767a255f95873b59f5a841e47dc749d84679b018328eb86109b85715
File name:    vistaultm.dll
Detection ratio:    3 / 43
Analysis date:    2012-03-25 10:02:11 UTC ( 1 settimana, 2 giorni ago )
0
0
Antivirus    Result    Update
AhnLab-V3    -    20120324
AntiVir    -    20120323
Antiy-AVL    -    20120325
Avast    -    20120325
AVG    -    20120325
BitDefender    -    20120325
ByteHero    -    20120319
CAT-QuickHeal    -    20120324
ClamAV    PUA.Packed.PECompact-1    20120325
Commtouch    -    20120325
Comodo    -    20120325
DrWeb    -    20120325
Emsisoft    -    20120325
eSafe    Suspicious File    20120322
eTrust-Vet    -    20120323
F-Prot    -    20120325
F-Secure    -    20120325
Fortinet    -    20120324
GData    -    20120325
Ikarus    -    20120325
Jiangmin    -    20120324
K7AntiVirus    -    20120323
Kaspersky    -    20120325
McAfee    -    20120325
McAfee-GW-Edition    -    20120324
Microsoft    -    20120325
NOD32    -    20120325
Norman    -    20120324
nProtect    -    20120325
Panda    -    20120325
PCTools    -    20120323
Prevx    -    20120325
Rising    -    20120323
Sophos    -    20120325
SUPERAntiSpyware    Trojan.Agent/Gen-StartPage    20120323
Symantec    -    20120325
TheHacker    -    20120324
TrendMicro    -    20120325
TrendMicro-HouseCall    -    20120325
VBA32    -    20120323
VIPRE    -    20120325
ViRobot    -    20120324
VirusBuster    -    20120323

Tell me if it is enought..

[Orkkongen]

In the waiting time, you could have a look on my problem... ("Having fun with....") It seems like I have quite a lot in common with this thread... (well no more waiting time here... damn...)

[willo.c]

Additional info.. 

[jeffce]

Hi,

Thanks for getting those for me.   Are you still using ZoneAlarm as your firewall by chance?
----------

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21173:TCP"=-
"21173:UDP"=-
"11578:TCP"=-
"11578:UDP"=-


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

[willo.c]

Here the new Combofix log.

[jeffce]

Hi,

Are you still using ZoneAlarm as your firewall by chance?

----------

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.


As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.

• Do not use this instance of your browser for anything besides doing this scan
• When the scan is complete and the results saved, close that instance of your browser
• Open a new one the usual way and post the results in this topic.

[list=1]

• Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)[list=1]
• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

• Check
  
• Click the Start button.
  
• Accept any security warnings from your browser.
• Check
  
• Make sure that the option "Remove found threats" is Unchecked
• Push the Start button.
  
• ESET will then download updates for itself, install itself, and begin

scanning your computer. Please be patient as this can take some time.

• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as
  ESETScan. Include the contents of this report in your next reply.
  
• Push the Back button.
  
• Push Finish
  

http://www.eset.com/onlinescan/
----------

In your next reply please attach the logs made by Malwarebytes and ESET online scanner.