ROOTKIT found, Desktop Icons flickering and web browser tempremental

Viruses and worms
1

HELP!!!
Running windows vista and having some problems. I have ran scans, logs too big to post i have attached the four problems found

13:35:33.0964 4300 DNIMp50 (2782a4549cc6558c52b0753126b2a833) C:\Windows\system32\Drivers\DNIMp50.sys
13:35:33.0990 4300 DNIMp50 ( UnsignedFile.Multi.Generic ) - warning
13:35:33.0990 4300 DNIMp50 - detected UnsignedFile.Multi.Generic (1)
13:35:34.0010 4300 DNISp50 (b222622709a919c91cb54a90cf7ceefc) C:\Windows\system32\Drivers\DNISp50.sys
13:35:34.0016 4300 DNISp50 ( UnsignedFile.Multi.Generic ) - warning
13:35:34.0017 4300 DNISp50 - detected UnsignedFile.Multi.Generic (1)

13:35:38.0429 4300 jswpsapi (78d233d835a8876035ac559afe02b940) C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe
13:35:38.0456 4300 jswpsapi ( UnsignedFile.Multi.Generic ) - warning
13:35:38.0456 4300 jswpsapi - detected UnsignedFile.Multi.Generic (1)

13:35:48.0674 4300 SCDEmu (20b2751cd4c8f3fd989739ca661b9f30) C:\Windows\system32\drivers\SCDEmu.sys
13:35:48.0680 4300 SCDEmu ( UnsignedFile.Multi.Generic ) - warning
13:35:48.0680 4300 SCDEmu - detected UnsignedFile.Multi.Generic (1)

ANY IDEAS GUYS??? Been going on for about a month now, avast found the rootkit this morning.

2

Welcome to Avast! forums Benny

Follow this guide: http://forum.avast.com/index.php?topic=53253.0

and attach ( Do not copy/paste ) logs for malwarebytes’, OTL, and aswMBR.exe here:

Where an expert in the removal of malware will help you.

3

Thank you,

Shall i start a new post with my logs etc?? Sorry i’m new to all this.

4

No, Continue here. Remember to attach the logs. Do not copy/paste. To attach them look for " Attachments and other options " in blue color at the end of the box when elaborating a reply.

5

Monitoring

6

Thanks for your help, one more attachment to follow…

7

Hi there I see you are also running ad-aware antivirus… That may be the cause of the apparent rootkits. I would highly recommend that you only have one antivirus

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2101}: "URL" = http://www.searchqu.com/web?src=ieb&appid=73&systemid=101&sr=0&q={searchTerms} IE - HKU\S-1-5-21-3764034677-3449208877-2795386744-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2101}: "URL" = http://www.searchqu.com/web?src=ieb&appid=73&systemid=101&sr=0&q={searchTerms} O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll () O2 - BHO: (Loader Class) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files\Windows Searchqu Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media, inc) O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll () O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found. O20 - AppInit_DLLs: (c:\progra~1\wi9130~1\datamngr\datamngr.dll) - c:\Program Files\Windows Searchqu Toolbar\Datamngr\datamngr.dll (Bandoo Media, inc) O20 - AppInit_DLLs: (c:\progra~1\wi9130~1\datamngr\iebho.dll) - c:\Program Files\Windows Searchqu Toolbar\Datamngr\IEBHO.dll (Bandoo Media, inc)

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

8

Hope thats right…thanks for your time man

9

Could you attach the aswMBR log please

Also have you considered what to keep as your antivirus… Ad-aware or Avast ?

10

I have uninstalled ad-aware now.

11

Three of the files are related to your network and the fourth is for an ISO utility

Are you experiencing any problems now ?

12

Yes the icons on my desktop flicker erratically for a few seconds and then back to normal. As i try to load either IE9 or google crome a web page opens flickers and reloads a fresh page which is works fine.

13

Could be worth updating your video driver