Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Messed Up By 'System Check' Virus


  • Please log in to reply
7 replies to this topic

#1 johntt

johntt

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 23 January 2012 - 04:57 AM

Mod Edit: Merged topics ~ Hamluis.

Hi,

My PC was hit by the 'System Check' virus this weekend.

This site proved extremely helpful and after browsing through various topics and posts, with the instructions and advice given I have been able to get back some functionality on my PC.

However I still have a few issues and I wondered if anyone could please point me in the right direction? Thanks in advance for any assistance given.

BROWSER ISSUES - Whenever I run IE or Chrome, when attempting to visit a web address via a search engine, I am redirected to a random site such as eBay, Groupon, etc.

MISSING FAVOURITES - All my bookmarks and favourites have disappeared.

MISSING PROGRAMS - When clicking the Start button, all programs have disappeared except for a handful such as solitaire. I can search for programs and they appear allowing me then to click on them and run.

LOCKED FOLDERS - When using Windows explorer, some of my folders have a padlock on them and if I try to access them I get an "Access Denied" message

SPEED - I think it's safe to say something is going on with my machine. Every task is running a lot slower than normal, as though the virus is running underneath and up to no good!

In line with the instructions on this site for removing System Check, over the last 48 hours I have ran various programs such as Malwarebytes and I've played around with various settings such as changing the permissions of folders (those that are locked). No doubt I have tweaked one or two things that perhaps I shouldn't have but it was in desperation.

Ideally I'd like to resolve the issues listed above but also give my PC some kind of 'deep clean' process in an attempt to rid all traces of System Check and any other viruses that may be present.

My e mail client (Outlook) seems to be working ok so I can receive any messages sent to me, I can also manually type in web addresses so can visit this site for any updates.

I'm extremely grateful for any assistance or advice. If you need any more system information please do not hesitate to ask but please bear in mind I am very much a novice on these things.

Thanks.

John

I followed the really helpful instructions given on other various threads and with the assistance of a more knowledgeable friend, we have got my box back to something like its normal state.

However, there are a couple of issues that we can't seem to crack.

Browser Redirect - When clicking on the results of a web search, I am constantly redirected to random web sites instead of the one I choose.

Rogue Folders - I seem to have acquired a large number of strange looking rogue folders within my drives, an example name is - 5f6bb6d04959c7db459999f3fa04d2f6, there are numerous others.

I'm certainly no expert but my gut feeling is that despite our best efforts, there are traces of the System Check virus remaining on my box.

I would be extremely grateful if anyone could please advise how I can rid myself of these issues and how I would go about a thorough 'deep clean' of my PC to ensure nothing nasty remains.

Thank you in advance for any assistance you can offer and if you need any further information, please do not hesitate to ask. Please bear in mind I am a novice in these issues.

Edited by hamluis, 24 January 2012 - 11:39 AM.
Moved from Win 7 to Am I Infected.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:37 AM

Posted 23 January 2012 - 12:44 PM

Welcome aboard Posted Image

Let's see, if we can recover your missing features.
Download and run UnHide
Let me know, if it worked.

Then.....

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 johntt

johntt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 24 January 2012 - 03:21 AM

Hi,

First of all, thank you for your really quick response.

Before I start to follow your instructions, I thought I'd better update you on where I am at.

A friend gave me some assistance last night and we made a bit of progress as regards the issues I listed. The problems with missing favourites and programs, locked folders and the speed seem to have in the main been resolved.

However, I still have the browser redirect issues and we also noticed a number of strange looking rogue folders on my hard drive.

It was pointed out to me that I probably posted the initial request for help under an inappropriate part of the forum and should have used the 'Security' section instead of 'Operating System'. As a result I started a new thread this morning - http://www.bleepingcomputer.com/forums/topic439657.html and was on my way to close this one down when I noticed your reply. I see you have moved the original thread to an appropriate place.

Apologies for the dual posting, please feel free to close one of the threads down or if that's something I need to do myself just let me know.

I'll wait to hear from you as to whether to begin the process you listed, or whether in light of the developments listed above, I need to be starting from a different point in the process.

Once again, thank you for your assistance.

John

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:37 AM

Posted 24 January 2012 - 11:03 AM

EDIT:

Edited by narenxp, 24 January 2012 - 11:55 AM.


#5 johntt

johntt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 26 January 2012 - 05:26 PM

Hi,

Thanks very much for the guidance.

============================================

I ran UnHide, it seemed to run fine and it looks like the missing programs have returned

============================================

Then ran Security Check, the notepad document is as follows :-


Results of screen317's Security Check version 0.99.24
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 27
Adobe Flash Player ( 10.1.82.76) Flash Player Out of Date!
Mozilla Firefox (x86 en-GB..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
``````````End of Log````````````

========================================

Ran Farbar, this was the output

Farbar Service Scanner Version: 18-01-2012 01
Ran by John (administrator) on 26-01-2012 at 21:56:28
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

==========================================

Ran Mini Tool Box, this was the result

MiniToolBox by Farbar Version: 18-01-2012
Ran by John (administrator) on 26-01-2012 at 21:59:08
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Realtek PCIe GBE Family Controller = Local Area Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : John-Desktop
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : E0-CB-4E-B8-B9-2C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b90e:b086:d0de:94ce%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 26 January 2012 08:24:45
Lease Expires . . . . . . . . . . : 27 January 2012 20:24:45
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 199281486
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-E2-54-29-E0-CB-4E-B8-B9-2C
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{BD958F6F-1437-48EC-857D-391387DFF845}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:468:e40:3f57:fefc(Preferred)
Link-local IPv6 Address . . . . . : fe80::468:e40:3f57:fefc%11(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 173.194.67.106
173.194.67.99
173.194.67.103
173.194.67.104
173.194.67.147
173.194.67.105


Pinging google.com [173.194.67.105] with 32 bytes of data:
Reply from 173.194.67.105: bytes=32 time=34ms TTL=46
Reply from 173.194.67.105: bytes=32 time=34ms TTL=46

Ping statistics for 173.194.67.105:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 34ms, Maximum = 34ms, Average = 34ms
Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 98.139.180.149
209.191.122.70
72.30.2.43
98.137.149.56


Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=188ms TTL=52
Reply from 98.137.149.56: bytes=32 time=189ms TTL=52

Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 188ms, Maximum = 189ms, Average = 188ms
Server: UnKnown
Address: 192.168.1.1

Name: bleepingcomputer.com
Address: 208.43.87.2


Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Reply from 208.43.87.2: Destination host unreachable.
Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
10...e0 cb 4e b8 b9 2c ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.3 276
192.168.1.3 255.255.255.255 On-link 192.168.1.3 276
192.168.1.255 255.255.255.255 On-link 192.168.1.3 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.3 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.3 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
11 58 ::/0 On-link
1 306 ::1/128 On-link
11 58 2001::/32 On-link
11 306 2001:0:5ef5:79fd:468:e40:3f57:fefc/128
On-link
10 276 fe80::/64 On-link
11 306 fe80::/64 On-link
11 306 fe80::468:e40:3f57:fefc/128
On-link
10 276 fe80::b90e:b086:d0de:94ce/128
On-link
1 306 ff00::/8 On-link
11 306 ff00::/8 On-link
10 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 06 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 08 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 09 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 06 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 08 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/26/2012 02:11:32 PM) (Source: Customer Experience Improvement Program) (User: )
Description: 80004005

Error: (01/26/2012 00:45:24 PM) (Source: Application Error) (User: )
Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: msfeeds.dll, version: 9.0.8112.16421, time stamp: 0x4d7622ee
Exception code: 0xc0000005
Fault offset: 0x000000000003be99
Faulting process id: 0x10f0
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3

Error: (01/26/2012 09:02:03 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"1".
Dependent Assembly Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (01/26/2012 09:02:02 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"1".
Dependent Assembly Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (01/26/2012 09:01:48 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (01/26/2012 09:01:36 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (01/26/2012 09:00:51 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (01/26/2012 08:59:56 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
Multiple requestedPrivileges elements are not allowed in manifest.

Error: (01/25/2012 07:25:22 PM) (Source: Customer Experience Improvement Program) (User: )
Description: 90080108

Error: (01/25/2012 04:37:41 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"1".
Dependent Assembly Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762" could not be found.
Please use sxstrace.exe for detailed diagnosis.


System errors:
=============
Error: (01/24/2012 07:52:45 AM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Vodafone Mobile Broadband Service service to connect.

Error: (01/23/2012 09:55:51 PM) (Source: Microsoft-Windows-WHEA-Logger) (User: LOCAL SERVICE)
Description: A fatal hardware error has occurred.

Component: AMD Northbridge
Error Source: 3
Error Type: 7
Processor ID: 0

The details view of this entry contains further information.

Error: (01/23/2012 09:53:27 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/23/2012 09:53:27 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/23/2012 09:53:27 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/23/2012 09:52:47 PM) (Source: DCOM) (User: )
Description: 1068fdPHost{D3DCB472-7261-43CE-924B-0704BD730D5F}

Error: (01/23/2012 09:52:47 PM) (Source: DCOM) (User: )
Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF}

Error: (01/23/2012 09:52:37 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:
%%1068

Error: (01/23/2012 09:52:33 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/23/2012 09:52:33 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068


Microsoft Office Sessions:
=========================
Error: (01/26/2012 02:11:32 PM) (Source: Customer Experience Improvement Program)(User: )
Description: 80004005

Error: (01/26/2012 00:45:24 PM) (Source: Application Error)(User: )
Description: Explorer.EXE6.1.7601.175674d672ee4msfeeds.dll9.0.8112.164214d7622eec0000005000000000003be9910f001ccdc04239cb3c5C:\Windows\Explorer.EXEC:\Windows\system32\msfeeds.dll9d2d593b-481b-11e1-9864-e0cb4eb8b92c

Error: (01/26/2012 09:02:03 AM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"c:\program files (x86)\Steam\steamapps\common\horrid henry\Sprites\Henry\stomp\SpriteOffsetCalculator.exe

Error: (01/26/2012 09:02:02 AM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"c:\program files (x86)\Steam\steamapps\common\horrid henry\Sprites\Henry\hide\SpriteOffsetCalculator.exe

Error: (01/26/2012 09:01:48 AM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files (x86)\Nokia\Nokia PC Suite 7\TIS_Windows7PIM.dll

Error: (01/26/2012 09:01:36 AM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (01/26/2012 09:00:51 AM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Program Files (x86)\LogMeIn\x86\LogMeInToolkit.exe

Error: (01/26/2012 08:59:56 AM) (Source: SideBySide)(User: )
Description: C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exeC:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exe2

Error: (01/25/2012 07:25:22 PM) (Source: Customer Experience Improvement Program)(User: )
Description: 90080108

Error: (01/25/2012 04:37:41 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"c:\program files (x86)\Steam\steamapps\common\horrid henry\Sprites\Henry\stomp\SpriteOffsetCalculator.exe


=========================== Installed Programs ============================

64 Bit HP CIO Components Installer (Version: 6.2.2)
Acrobat.com (Version: 1.6.65)
Adobe Acrobat X Pro - English, Français, Deutsch (Version: 10.1.1)
Adobe AIR (Version: 1.5.3.9120)
Adobe Download Manager (Version: 1.6.2.91)
Adobe Flash Player 10 Plugin (Version: 10.1.82.76)
Adobe Flash Player 11 ActiveX 64-bit (Version: 11.1.102.55)
Adobe Reader 9.5.0 (Version: 9.5.0)
Adobe Shockwave Player 11.6 (Version: 11.6.1.629)
Alien Swarm
AMD APP SDK Runtime (Version: 2.5.793.1)
AMD Catalyst Install Manager (Version: 3.0.851.0)
AMD Drag and Drop Transcoding (Version: 2.00.0000)
AMD Fuel (Version: 2011.1025.2231.38573)
AMD Media Foundation Decoders (Version: 1.0.61025.2207)
AMD VISION Engine Control Center (Version: 2011.1025.2231.38573)
Apple Application Support (Version: 2.1.6)
Apple Mobile Device Support (Version: 4.0.0.97)
Apple Software Update (Version: 2.1.3.127)
Ask Toolbar (Version: 1.6.6.0)
Assassin's Creed (Version: 1.02)
ATI Catalyst Registration (Version: 3.00.0000)
AudibleManager (Version: 2005741680.48.56.37563066)
AVG 2012 (Version: 12.0.1901)
AVG 2012 (Version: 12.0.2109)
AVG 2012 (Version: 2012.0.1901)
Battlefield 3™ (Version: 1.0.0.0)
Battlefield: Bad Company 2
Battlelog Web Plugins (Version: 1.104.0)
BlackBerry Desktop Software 6.1 (Version: 6.1.0.35)
Bonjour (Version: 3.0.0.10)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Graphics Previews Common (Version: 2011.1025.2231.38573)
Catalyst Control Center InstallProxy (Version: 2009.1124.2131.38610)
Catalyst Control Center InstallProxy (Version: 2011.1025.2231.38573)
ccc-utility64 (Version: 2011.1025.2231.38573)
CCC Help English (Version: 2011.1025.2230.38573)
CCleaner (Version: 2.27)
Chime
Compatibility Pack for the 2007 Office system (Version: 12.0.6514.5001)
Crysis 2
D3DX10 (Version: 15.4.2368.0902)
DiRT 2
DivX Setup (Version: 1.0.2.23)
DVD Suite (Version: 5.0.1906)
ESN Sonar (Version: 0.70.4)
Free Audio CD Burner version 1.2
Free Download Manager 3.0
Free YouTube to MP3 Converter version 3.2
Full Tilt Poker (Version: 4.24.0.WIN.FullTilt.COM)
Google Chrome (Version: 16.0.912.77)
Google Earth (Version: 6.1.0.5001)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.2.2427.2330)
Google Update Helper (Version: 1.3.21.79)
GoToMeeting 4.5.0.457
Half-Life 2: Episode One
Horrid Henry
iTunes (Version: 10.5.2.11)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 27 (Version: 6.0.270)
Junk Mail filter update (Version: 15.4.3502.0922)
LabelPrint (Version: 1920a)
LeapFrog Connect (Version: 2.9.1.11093)
LeapFrog Leapster2 Plugin (Version: 2.8.7.11034)
Left 4 Dead 2
LogMeIn (Version: 4.0.982)
Malwarebytes' Anti-Malware version 1.51.1.1800 (Version: 1.51.1.1800)
ManiaPlanet
Medal of Honor™ Multiplayer
Medal of Honor™ Single Player
MediaShow (Version: 3.0.4325)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Games for Windows - LIVE Redistributable (Version: 3.5.88.0)
Microsoft Games for Windows Marketplace (Version: 3.5.50.0)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft XNA Framework Redistributable 3.1 (Version: 3.1.10527.0)
Mozilla Firefox 8.0 (x86 en-GB) (Version: 8.0)
MSVC80_x64_v2 (Version: 1.0.3.0)
MSVC80_x86_v2 (Version: 1.0.3.0)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Nokia Connectivity Cable Driver (Version: 7.1.23.0)
Nokia PC Suite (Version: 7.1.40.6)
NVIDIA PhysX (Version: 9.09.0814)
OpenAL
Origin (Version: 8.3.7.3619)
PC Connectivity Solution (Version: 9.44.0.3)
PhotoNow! 1.0 (Version: 3.0.4310)
Platform (Version: 1.34)
Power2Go 5.0
PowerBackup (Version: 2.5.2903)
PowerDirector Express
PowerDVD (Version: 7.0.3118.0)
PowerDVD Copy (Version: 1.0.3716a)
PowerProducer
Primo (Version: 1.00.0000)
PunkBuster Services (Version: 0.991)
Puzzle Pirates
QuickTime (Version: 7.69.80.9)
Rapport (Version: 3.5.1108.65)
Rapture3D 2.3.26 Game
Room on the Broom (remove only)
Runtime (Version: 1.00.0000)
Skype Click to Call (Version: 5.6.8442)
Skype™ 5.5 (Version: 5.5.124)
Sony Ericsson PC Companion 2.01.078 (Version: 2.01.078)
Sony Ericsson Update Engine (Version: 2.10.12.15)
Sony Picture Utility (Version: 4.2.00.15030)
SopCast 3.2.9 (Version: 3.2.9)
Spotify (Version: 0.3.22)
StartupMonitor (Version: 1.0.2.0)
Steam (Version: 1.0.0.0)
swMSM (Version: 12.0.0.1)
TomTom HOME 2.7.5.2014 (Version: 2.7.5.2014)
TomTom HOME Visual Studio Merge Modules (Version: 1.0.2)
TrackMania Nations Forever
Trojan Killer (Version: 2.1.1.6)
Uninstall 1.0.0.1
Unity Web Player (Version: )
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Use the entry named LeapFrog Connect to uninstall (LeapFrog Leapster2 Plugin)
VC80CRTRedist - 8.0.50727.4053 (Version: 1.1.0)
Veetle TV 0.9.18 (Version: 0.9.18)
VIA Platform Device Manager (Version: 1.34)
Visual C++ 8.0 Runtime Setup Package (x64) (Version: 9.0.0.623)
Visual Studio 2008 x64 Redistributables (Version: 10.0.0.2)
VLC media player 1.1.4 (Version: 1.1.4)
Vodafone Mobile Broadband (Version: 10.1.108.29105)
WebEx
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012) (Version: 09/10/2009 02.03.05.012)
Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4) (Version: 06/01/2009 7.01.0.4)
Windows Driver Package - Nokia Modem (10/05/2009 4.2) (Version: 10/05/2009 4.2)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0) (Version: 08/22/2008 7.0.0.0)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3502.0922)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3502.0922)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3502.0922)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
Windows Mobile Device Center (Version: 6.1.6965.0)
WSOP.com

========================= Memory info: ===================================

Percentage of memory in use: 26%
Total physical RAM: 8191.18 MB
Available physical RAM: 6010.45 MB
Total Pagefile: 16380.55 MB
Available Pagefile: 13867.7 MB
Total Virtual: 4095.88 MB
Available Virtual: 3978.49 MB

========================= Partitions: =====================================

1 Drive c: (Windows7) (Fixed) (Total:911.98 GB) (Free:691.58 GB) NTFS

========================= Users: ========================================

User accounts for \\JOHN-DESKTOP

Administrator Guest John


**** End of log ****

===============================================

Ran MBAM, output as follows

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.26.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
John :: JOHN-DESKTOP [administrator]

26/01/2012 22:19:42
mbam-log-2012-01-26 (22-19-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198532
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\John\Downloads\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

(end)

====================================================

Will restart machine as instructed....

#6 johntt

johntt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 26 January 2012 - 06:05 PM

Restarted and ran aswMBR, output was


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-26 22:32:09
-----------------------------
22:32:09.861 OS Version: Windows x64 6.1.7601 Service Pack 1
22:32:09.861 Number of processors: 4 586 0x403
22:32:09.861 ComputerName: JOHN-DESKTOP UserName: John
22:32:14.104 Initialize success
22:33:15.410 AVAST engine defs: 12012602
22:33:23.974 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
22:33:23.974 Disk 0 Vendor: SAMSUNG_HD103SJ 1AJ100E4 Size: 953869MB BusType: 3
22:33:24.005 Disk 0 MBR read successfully
22:33:24.005 Disk 0 MBR scan
22:33:24.005 Disk 0 Windows 7 default MBR code
22:33:24.021 Disk 0 MBR hidden
22:33:24.068 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 20001 MB offset 2048
22:33:24.083 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 933864 MB offset 40965750
22:33:24.130 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 2 MB offset 1953519616
22:33:24.130 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
22:33:24.146 Service scanning
22:33:37.047 Modules scanning
22:33:37.047 Disk 0 trace - called modules:
22:33:37.063 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8007b1e334]<<ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
22:33:37.063 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007b04060]
22:33:37.078 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa8007454520]
22:33:37.078 5 ACPI.sys[fffff88000f177a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8007452680]
22:33:37.078 \Driver\atapi[0xfffffa8006b234a0] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8007b1e334
22:33:41.945 AVAST engine scan C:\Windows
22:33:49.059 AVAST engine scan C:\Windows\system32
22:39:05.820 AVAST engine scan C:\Windows\system32\drivers
22:39:27.637 AVAST engine scan C:\Users\John
22:54:45.794 AVAST engine scan C:\ProgramData
22:59:41.434 Scan finished successfully
23:03:33.390 Disk 0 MBR has been saved successfully to "C:\Users\John\Desktop\MBR.dat"
23:03:33.393 The log file has been saved successfully to "C:\Users\John\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-26 22:32:09
-----------------------------
22:32:09.861 OS Version: Windows x64 6.1.7601 Service Pack 1
22:32:09.861 Number of processors: 4 586 0x403
22:32:09.861 ComputerName: JOHN-DESKTOP UserName: John
22:32:14.104 Initialize success
22:33:15.410 AVAST engine defs: 12012602
22:33:23.974 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
22:33:23.974 Disk 0 Vendor: SAMSUNG_HD103SJ 1AJ100E4 Size: 953869MB BusType: 3
22:33:24.005 Disk 0 MBR read successfully
22:33:24.005 Disk 0 MBR scan
22:33:24.005 Disk 0 Windows 7 default MBR code
22:33:24.021 Disk 0 MBR hidden
22:33:24.068 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 20001 MB offset 2048
22:33:24.083 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 933864 MB offset 40965750
22:33:24.130 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 2 MB offset 1953519616
22:33:24.130 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
22:33:24.146 Service scanning
22:33:37.047 Modules scanning
22:33:37.047 Disk 0 trace - called modules:
22:33:37.063 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8007b1e334]<<ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
22:33:37.063 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007b04060]
22:33:37.078 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa8007454520]
22:33:37.078 5 ACPI.sys[fffff88000f177a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8007452680]
22:33:37.078 \Driver\atapi[0xfffffa8006b234a0] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8007b1e334
22:33:41.945 AVAST engine scan C:\Windows
22:33:49.059 AVAST engine scan C:\Windows\system32
22:39:05.820 AVAST engine scan C:\Windows\system32\drivers
22:39:27.637 AVAST engine scan C:\Users\John
22:54:45.794 AVAST engine scan C:\ProgramData
22:59:41.434 Scan finished successfully
23:03:33.390 Disk 0 MBR has been saved successfully to "C:\Users\John\Desktop\MBR.dat"
23:03:33.393 The log file has been saved successfully to "C:\Users\John\Desktop\aswMBR.txt"
23:03:55.385 Disk 0 MBR has been saved successfully to "C:\Users\John\Desktop\MBR.dat"
23:03:55.390 The log file has been saved successfully to "C:\Users\John\Desktop\aswMBR.txt"

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:37 AM

Posted 26 January 2012 - 07:16 PM

You're infected with the newest TDL rootkit.
More advanced help will be needed.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#8 johntt

johntt
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 14 February 2012 - 04:59 PM

Ok, thanks for that.

Instructions followed and new top here - http://www.bleepingcomputer.com/forums/topic439522.html




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users