I hope this is the right section for this, but I suspect my computer might have been infected with a rootkit after a recent browser takeover. When (full)scanning with MalwareBytes and Avast it BSOD after an hour or so. Spybot picked up a few problems and fixed them but MalwareBytes or Avast quick scans come out clean. Upon scanning with aswMBR two red lines appear(@12:47:57.777 and @12:47:57.792), here is the log:

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-20 12:47:50

12:47:50.527 OS Version: Windows x64 6.1.7600
12:47:50.527 Number of processors: 8 586 0x1A05
12:47:50.527 ComputerName: SPOONEDTODEATH UserName: MagicMan
12:47:51.433 Initialize success
12:47:51.511 AVAST engine defs: 11061900
12:47:55.699 Disk 0 \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP4T1L0-c
12:47:55.699 Disk 0 Vendor: WDC_WD3200AAKS-22SBA0 12.01B01 Size: 305245MB BusType: 3
12:47:55.699 Disk 1 (boot) \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP5T1L0-a
12:47:55.699 Disk 1 Vendor: SAMSUNG_HD103UJ 1AA01118 Size: 953869MB BusType: 3
12:47:55.714 Disk 1 MBR read successfully
12:47:55.714 Disk 1 MBR scan
12:47:55.714 Disk 1 Windows 7 default MBR code
12:47:55.714 Service scanning
12:47:57.761 Disk 1 trace - called modules:
12:47:57.777 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800b08c2c0]<<
12:47:57.777 1 nt!IofCallDriver → \Device\Harddisk1\DR1[0xfffffa800b5b1060]
12:47:57.792 3 CLASSPNP.SYS[fffff8800140143f] → nt!IofCallDriver → [0xfffffa800b232670]
12:47:57.792 5 ACPI.sys[fffff8800119b781] → nt!IofCallDriver → \Device\Ide\IdeDeviceP5T1L0-a[0xfffffa800b24b060]
12:47:57.792 \Driver\atapi[0xfffffa800b1d3920] → IRP_MJ_CREATE → 0xfffffa800b08c2c0
12:47:58.496 AVAST engine scan C:\Windows
12:51:58.121 Disk 1 MBR has been saved successfully to “C:\Users\MagicMan\Desktop\MBR.dat”
12:51:58.121 The log file has been saved successfully to “C:\Users\MagicMan\Desktop\aswMBR.txt”

Also I have yet to completely finish a full scan, either it will lock up the system or BSOD. Here is the BSOD info. ::EDIT:: I think it has something to do with the “AV engine” selection. If I select “none” the scan finishes immediately and posts the same results.

Problem signature
Problem Event Name BlueScreen
OS Version 6.1.7600.2.0.0.768.3
Locale ID 1033

Additional information about the problem
BCCode be
BCP1 FFFFF88000EA30B0
BCP2 8000000003CC6161
BCP3 FFFFF8800DD8B300
BCP4 000000000000000B
OS Version 6_1_7600
Service Pack 0_0
Product 768_1

Files that help describe the problem
CWindowsMinidump062011-24140-01.dmp
CUsersMagicManAppDataLocalTempWER-42578-0.sysdata.xml

Read our privacy statement online
httpgo.microsoft.comfwlinklinkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline
CWindowssystem32en-USerofflps.txt

Thanks in advance. Any help is appreciated.
-Kevin

Presumably you are also getting avast alerts on Malicious URLs ?

As this Unknown element has been associated by a rootkit and not specifically an MBR rootkit which aswMBR is looking for.

So you can try this tool that is looking more specifically at rootkits:

Thank you for the quick reply, hopefully this new log will give you some useful information. If you need any other scans please let me know and I’ll post them immediately. The scan found one locked object similar to the one in the example.

Again, many thanks,
-Kevin

TDSSKiller Log Attached (Could not paste, exceeds 1000 character limit)

(Please see next post for ANSI formatted log file)

you need to save the log as ANSI as now it is just Chinese gibbely gobbel

Sorry about that, here is the updated log saved in ANSI.

Thanks again.

This could be Volsnap infection as that is TDSSKillers blind spot

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Here is the ComboFix Log Report. Not sure if this was normal, but it restarted my computer and prepared the Log Report upon starting up. Also Windows wants to run a CHKDSK when it boots, should I let it?

Thanks again.

Yes allow a checkdisc

Hmm not much showing there - what are your current symptoms ?

• Allowed windows to run CHKDSK upon reboot, this time it worked for one of the drives. On the other drive (f:) CHKDSK tries to repair the security descriptors but failes due to:

“Insufficient disk space to fix the security descriptors data stream”

While…

“Inserting an index entry with Id XXXX into index $SII of file 9”

Where XXXX is a number continually increasing. CHKDSK is still currently running switching between those two lines.

::EDIT::
CHKDSK finally finished and posted this:

Repairing the security file record segment.
161552 file SDs/SIDs processed
Security descriptor verification completed.
13101 data files processed.
CHKDSK is verifying Usn Journal…
Repairing usn journal $J data stream.
Usn journal verification completed.
Insufficient disk space to fix uppercase file.
CHKDSK aborted.

• Also I cannot start up into safe mode because the system also hangs up on classpnp.sys.

• Additionally I cannot complete a full system scan with either Avast or MalewareBytes without Windows crashing and BSOD’ing (see code in OP). I believe the original code was something like this (searched on my laptop to see what caused the BSOD)

Problem Event Name: BlueScreen
OS Version: 6.1.7600.2.0.0.768.3
Locale ID: 2057

Additional information about the problem:
BCCode: 9c
BCP1: 0000000000000000
BCP2: FFFFF8800318EC70
BCP3: 0000000000000000
BCP4: 0000000000000000
OS Version: 6_1_7600
Service Pack: 0_0
Product: 768_1

• Also I still need to install SP1 for Windows 7, which might help. Windows will say “Shutting Down” for a long time whereas before would shut down immediately, now have to manually turn off. About half the time Windows tries to start but never gets past the “Starting Window” screen (black with the Windows icon, and Copyright Microsoft Corporation). All these issues started with the browser takeover (could not close, infinite popups had to ctrl alt del and scan leading to BSOD’s).

Update to SP1 and on completion could you an OTS scan as below

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Check the box that says 64 bit
[*]Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

%USERPROFILE%..|smtmp;true;true;true /FP
%SYSTEMDRIVE%*.exe
/md5start
classpnp.sys
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

Updating to SP1 and removing that old hard drive seemed to fix all the issues. I can now complete full scans with Avast (boot scan) and MalwareBytes without any issues. All scans turned up clean and now the computer is functioning again as normal. Do you recommend still doing and OTS scan?

If you are happy then no - I feel it was a problem with some system files being a bit corrupted

Thank you all so much for your help. Both my wife and I appreciate it.