Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis log..Please help


  • This topic is locked This topic is locked
33 replies to this topic

#1 trailmarkman

trailmarkman

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 10 February 2012 - 02:46 PM

Our point of sale system that has internet access has been acting up lately. We have run Spybot, Malwarebytes, AVG (free edition) and now Hijackthis. All the scans show no infection, but when I get online I am not able to open any search engine. I know that malwarebytes has an option to block websites and I can disable it and get some success. When I attempt to get freeware to fix the issue (rootkit scanner/killer etc.,), I get bounced to websites that are ad sites. Malwarebytes is also blocking access to ip addresses both incoming and outgoing. I have run HJT and I have the log. ANy help would be greatly appreciated. Thanks!!

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:16 AM

Posted 10 February 2012 - 06:26 PM

Is this a business/institution computer?
I am asking this for several reasons:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 trailmarkman

trailmarkman
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 10 February 2012 - 09:56 PM

We are a small retail business ( less than a million in sales per year). The computer with the issues is the only one on the network ( we only have the one computer/register other than our personal lap tops.....(I know it's been stupid to let employees use the computer for Internet access especially since it runs all our credit card processing and is the lifeblood of our business). We're just looking to get it fixed and there would be no sort of law suit if there were issues. If there were a step I felt may compromise our system, I would stop and say so. All other aspects of the computer seem to be running fine, it's just the internet access and the Makwarebytes flagging malicious activity even when no one is online. I understand if you don't want to proceed, but we really could use the help and like I said we would in no way hold anyone accountable for any further issues that would arise throughout the repair process. Thanks.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:16 AM

Posted 10 February 2012 - 10:01 PM

If that computer contains customers credit card information, that information could be compromised, and you can imagine the implications of that, so I would definitely reformat the computer.

If it doesn't contain any customer information, then please run the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 trailmarkman

trailmarkman
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 11 February 2012 - 04:58 PM

Thanks for the reply. No credit card information is stored on this (or any of our computers). I am out of the office today, but I will be in work tomorrow (2-12-10). I'll complete the steps you provided and I'll report back. Please keep this thread open.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:16 AM

Posted 11 February 2012 - 05:36 PM

:thumbup2:

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 trailmarkman

trailmarkman
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 12 February 2012 - 01:11 PM

Here are the results of the scans:

.
.DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by POS1 at 11:46:33 on 2012-02-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.697 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
svchost.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\GRBakPro\GRSrv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\GRBakPro\GRBakPro.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\PCCW\Pccw.Exe
C:\tgswin\winapps\MainMenu.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\tgswin\winapps\POSINIT.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: usps.com\sss-web
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/US/TechConsole/x86/RescueControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.1.10.1
TCP: Interfaces\{63A83616-EDC8-4206-9491-03D3BACFA475} : DhcpNameServer = 10.1.10.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.0.6\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
Hosts: 94.63.240.131 www.google.com
Hosts: 94.63.240.132 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2012-1-31 7391072]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 GRBackProGRSrv.exe;GRBackPro;c:\program files\grbakpro\GRSrv.exe [2008-9-4 69632]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-9 652360]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2008-8-6 799256]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2007-9-5 455968]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\10.0.6\ToolbarUpdater.exe [2012-1-16 909152]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-9 20464]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-4-12 167264]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [2008-10-3 26304]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 VirtDisk;XSS Virtual Disk Driver;c:\windows\sminst\virtdisk.sys [2008-8-6 57344]
S4 POSPerformanceCounters;Point Of Service Performance Counters;c:\program files\microsoft point of service\Microsoft.PointOfService.Service.exe [2008-2-29 42056]
.
=============== Created Last 30 ================
.
2012-02-10 19:14:35 388096 ----a-r- c:\documents and settings\pos1\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-02-10 19:14:34 -------- d-----w- c:\program files\Trend Micro
2012-02-10 17:31:56 94208 ------w- c:\windows\system32\BrDctF2.dll
2012-02-10 17:31:56 12288 ------w- c:\windows\system32\BrDctF2S.dll
2012-02-10 17:31:56 12288 ------w- c:\windows\system32\BrDctF2L.dll
2012-02-10 17:31:42 126976 ------w- c:\windows\system32\BrfxD05a.dll
2012-02-09 23:16:19 -------- d-----w- c:\program files\Cisco Systems
2012-02-09 23:09:56 -------- d-----w- c:\documents and settings\all users\application data\Cisco Systems
2012-02-09 22:49:45 -------- d-----w- c:\program files\CCleaner
2012-02-09 19:32:39 9502424 ----a-w- c:\program files\mbam--setup-1.60.1.1000.exe
2012-02-09 15:51:12 -------- d-----w- c:\windows\system32\%APPDATA%
2012-02-07 16:33:59 -------- d-----w- c:\documents and settings\pos1\local settings\application data\WMTools Downloaded Files
2012-02-01 19:01:17 5154304 ----a-w- c:\program files\WindowsDefender.msi
2012-01-27 18:11:21 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-01-27 18:11:20 -------- d-----w- c:\windows\system32\wbem\Repository
2012-01-16 16:31:52 -------- d-----w- c:\windows\system32\cache
.
==================== Find3M ====================
.
2012-02-12 01:54:08 60 ----a-w- c:\windows\wpd99.drv
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\SETC7.tmp
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\SETC6.tmp
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380815AS rev.3.CHH -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A21549F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a21c738]; MOV EAX, [0x8a21c8ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A661AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000065[0x8A664F18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A643D98]
\Driver\atapi[0x8A58BBE0] -> IRP_MJ_CREATE -> 0x8A21549F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5d; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A2152C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:48:24.82 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/19/2008 1:27:34 PM
System Uptime: 2/12/2012 10:57:46 AM (1 hours ago)
.
Motherboard: Hewlett-Packard | | 0A80h
Processor: Intel® Pentium® Dual CPU E2160 @ 1.80GHz | XU1 PROCESSOR | 1795/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 65 GiB total, 38.695 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 2.055 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1222: 11/13/2011 5:58:10 PM - System Checkpoint
RP1223: 11/14/2011 11:00:16 AM - Software Distribution Service 3.0
RP1224: 11/15/2011 4:00:28 PM - System Checkpoint
RP1225: 11/16/2011 4:12:11 PM - System Checkpoint
RP1226: 11/17/2011 5:45:30 PM - System Checkpoint
RP1227: 11/18/2011 5:58:36 PM - System Checkpoint
RP1228: 11/19/2011 6:15:42 PM - System Checkpoint
RP1229: 11/20/2011 6:52:12 PM - System Checkpoint
RP1230: 11/21/2011 11:00:16 AM - Software Distribution Service 3.0
RP1231: 11/22/2011 2:04:47 PM - System Checkpoint
RP1232: 11/23/2011 2:34:19 PM - System Checkpoint
RP1233: 11/24/2011 3:26:02 PM - System Checkpoint
RP1234: 11/25/2011 4:33:39 PM - System Checkpoint
RP1235: 11/26/2011 4:39:42 PM - System Checkpoint
RP1236: 11/27/2011 5:29:49 PM - System Checkpoint
RP1237: 11/28/2011 11:00:16 AM - Software Distribution Service 3.0
RP1238: 11/29/2011 11:14:26 AM - System Checkpoint
RP1239: 11/30/2011 1:20:32 PM - System Checkpoint
RP1240: 12/1/2011 5:13:21 PM - System Checkpoint
RP1241: 12/2/2011 5:58:48 PM - System Checkpoint
RP1242: 12/3/2011 6:23:31 PM - System Checkpoint
RP1243: 12/4/2011 6:54:20 PM - System Checkpoint
RP1244: 12/5/2011 11:00:15 AM - Software Distribution Service 3.0
RP1245: 12/6/2011 12:39:21 PM - System Checkpoint
RP1246: 12/7/2011 3:53:40 PM - System Checkpoint
RP1247: 12/8/2011 6:07:55 PM - System Checkpoint
RP1248: 12/9/2011 6:51:56 PM - System Checkpoint
RP1249: 12/10/2011 8:27:56 PM - System Checkpoint
RP1250: 12/11/2011 8:39:25 PM - System Checkpoint
RP1251: 12/12/2011 11:00:16 AM - Software Distribution Service 3.0
RP1252: 12/13/2011 11:04:17 AM - System Checkpoint
RP1253: 12/14/2011 12:42:39 PM - System Checkpoint
RP1254: 12/15/2011 6:56:37 PM - System Checkpoint
RP1255: 12/16/2011 7:14:23 PM - System Checkpoint
RP1256: 12/17/2011 9:48:52 PM - System Checkpoint
RP1257: 12/19/2011 11:00:24 AM - Software Distribution Service 3.0
RP1258: 12/20/2011 6:40:28 PM - System Checkpoint
RP1259: 12/21/2011 7:37:28 PM - System Checkpoint
RP1260: 12/22/2011 9:59:05 PM - System Checkpoint
RP1261: 12/24/2011 4:32:06 PM - System Checkpoint
RP1262: 12/26/2011 11:00:15 AM - Software Distribution Service 3.0
RP1263: 12/27/2011 5:56:45 PM - System Checkpoint
RP1264: 12/28/2011 5:57:22 PM - System Checkpoint
RP1265: 12/29/2011 6:29:52 PM - System Checkpoint
RP1266: 12/30/2011 7:31:12 PM - System Checkpoint
RP1267: 12/31/2011 7:59:54 PM - System Checkpoint
RP1268: 1/1/2012 8:13:44 PM - System Checkpoint
RP1269: 1/2/2012 11:00:15 AM - Software Distribution Service 3.0
RP1270: 1/3/2012 12:51:12 PM - System Checkpoint
RP1271: 1/4/2012 1:02:58 PM - System Checkpoint
RP1272: 1/5/2012 3:24:16 PM - System Checkpoint
RP1273: 1/6/2012 4:14:06 PM - System Checkpoint
RP1274: 1/7/2012 8:21:18 PM - System Checkpoint
RP1275: 1/8/2012 8:44:46 PM - System Checkpoint
RP1276: 1/9/2012 11:00:15 AM - Software Distribution Service 3.0
RP1277: 1/10/2012 12:40:12 PM - System Checkpoint
RP1278: 1/11/2012 12:55:00 PM - System Checkpoint
RP1279: 1/12/2012 10:20:16 AM - Removed Google Earth Plug-in.
RP1280: 1/13/2012 1:59:32 PM - System Checkpoint
RP1281: 1/14/2012 8:26:38 PM - System Checkpoint
RP1282: 1/15/2012 8:44:58 PM - System Checkpoint
RP1283: 1/16/2012 11:00:17 AM - Software Distribution Service 3.0
RP1284: 1/17/2012 1:17:42 PM - System Checkpoint
RP1285: 1/18/2012 1:26:12 PM - System Checkpoint
RP1286: 1/19/2012 2:06:16 PM - System Checkpoint
RP1287: 1/20/2012 3:19:16 PM - System Checkpoint
RP1288: 1/20/2012 9:18:12 PM - Software Distribution Service 3.0
RP1289: 1/21/2012 9:43:00 PM - System Checkpoint
RP1290: 1/22/2012 10:00:03 PM - System Checkpoint
RP1291: 1/23/2012 11:00:15 AM - Software Distribution Service 3.0
RP1292: 1/24/2012 2:37:29 PM - System Checkpoint
RP1293: 1/25/2012 3:12:40 PM - System Checkpoint
RP1294: 1/26/2012 4:04:04 PM - System Checkpoint
RP1295: 1/27/2012 11:47:32 AM - Jan 27
RP1296: 1/27/2012 11:50:58 AM - Restore Operation
RP1297: 1/27/2012 11:58:36 AM - Software Distribution Service 3.0
RP1298: 1/27/2012 12:06:49 PM - Restore Operation
RP1299: 1/28/2012 1:11:29 PM - System Checkpoint
RP1300: 1/29/2012 2:09:26 PM - System Checkpoint
RP1301: 1/30/2012 11:00:16 AM - Software Distribution Service 3.0
RP1302: 2/2/2012 8:33:13 PM - Software Distribution Service 3.0
RP1303: 2/4/2012 3:58:48 PM - Software Distribution Service 3.0
RP1304: 2/9/2012 6:42:57 PM - System Checkpoint
RP1305: 2/10/2012 11:20:33 AM - Removed Brother MFL-Pro Suite
RP1306: 2/10/2012 11:25:32 AM - Installed Microsoft Visual C++ 2005 Redistributable
RP1307: 2/10/2012 11:31:35 AM - Installed Brother MFL-Pro Suite
RP1308: 2/10/2012 11:33:04 AM - Unsigned printer driver Brother PC-FAX v.2 installed.
RP1309: 2/10/2012 1:14:29 PM - Installed HiJackThis
RP1310: 2/11/2012 3:35:11 PM - System Checkpoint
.
==== Installed Programs ======================
.
.
2007 Microsoft Office system
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.2)
AVG 2011
Broadcom Management Programs
Broadcom TPM Driver Installer
Brother HL-5240
Brother MFL-Pro Suite
CCleaner
Cisco Connect
Fujitsu NetCOBOL Foundation Class Library Run-time
Fujitsu NetCOBOL Free Run-time
Fujitsu PowerCOBOL Free Run-time
Fujitsu PowerFORM Free Run-time
getPlus® for Adobe
GRBackPro: Professional Backup 6.6 FULL V6.6.0
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952117-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Backup and Recovery Manager
HP Help and Support
HP MagSwipe Configuration Utility
HPhmUtility
HpSdpAppCoreApp
Intel® Graphics Media Accelerator Driver
InterVideo Register Manager
InterVideo WinDVD
Java™ 6 Update 4
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft POS for .NET 1.12
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
OGA Notifier 2.0.0048.0
OpenOffice.org 2.4
PaperPort Image Printer
PCCharge Pro
PDF Complete
Pdf995
Pervasive PSQL v10 Workgroup (32-bit)
Realtek High Definition Audio Driver
ScanSoft PaperPort 11
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sentinel System Driver Installer 7.4.2
Spybot - Search & Destroy
The General Store Version 7
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Internet Explorer 8
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
2/9/2012 9:46:23 AM, error: Service Control Manager [7024] - The SQL Server (MSSMLBIZ) service terminated with service-specific error 3417 (0xD59).
2/9/2012 9:45:59 AM, error: Print [19] - Sharing printer failed + 1722, Printer HP A794 Full share name Printer5.
2/9/2012 5:14:21 PM, error: Dhcp [1002] - The IP address lease 192.168.2.6 for the Network Card with network address 000FFED77680 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
2/8/2012 10:15:49 AM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 000FFED77680 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
2/7/2012 7:55:17 PM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
2/6/2012 9:49:48 AM, error: Service Control Manager [7022] - The AVGIDSAgent service hung on starting.
2/6/2012 10:27:30 AM, error: Dhcp [1002] - The IP address lease 192.168.2.5 for the Network Card with network address 000FFED77680 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-12 11:51:38
-----------------------------
11:51:38.421 OS Version: Windows 5.1.2600 Service Pack 3
11:51:38.421 Number of processors: 2 586 0xF0D
11:51:38.421 ComputerName: TRAIL-MARK01 UserName: POS1
11:51:39.968 Initialize success
11:53:49.078 AVAST engine defs: 12021200
11:55:16.562 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:55:16.562 Disk 0 Vendor: ST380815AS 3.CHH Size: 76319MB BusType: 3
11:55:16.562 Device \Driver\atapi -> DriverStartIo 8a2152c6
11:55:16.562 Disk 0 MBR read successfully
11:55:16.562 Disk 0 MBR scan
11:55:16.593 Disk 0 MBR:Pihar-C [Rtk]
11:55:16.593 Disk 0 TDL4@MBR code has been found
11:55:16.593 Disk 0 MBR hidden
11:55:16.593 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 66056 MB offset 63
11:55:16.625 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10244 MB offset 135299430
11:55:16.625 Disk 0 MBR [TDL4] **ROOTKIT**
11:55:16.625 Disk 0 trace - called modules:
11:55:16.625 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a21549f]<<
11:55:16.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a661ab8]
11:55:16.640 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000065[0x8a664f18]
11:55:16.640 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8a643d98]
11:55:16.640 \Driver\atapi[0x8a58bbe0] -> IRP_MJ_CREATE -> 0x8a21549f
11:55:17.265 AVAST engine scan C:\WINDOWS
11:55:23.703 AVAST engine scan C:\WINDOWS\system32
11:58:09.406 AVAST engine scan C:\WINDOWS\system32\drivers
11:58:23.203 AVAST engine scan C:\Documents and Settings\POS1
12:00:02.109 AVAST engine scan C:\Documents and Settings\All Users
12:00:46.750 Scan finished successfully
12:01:38.109 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\POS1\Desktop\MBR.dat"
12:01:38.109 The log file has been saved successfully to "C:\Documents and Settings\POS1\Desktop\aswMBR.txt"

#8 trailmarkman

trailmarkman
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 12 February 2012 - 01:13 PM

I attached the MBR.dat file as an attachment. I hope that was added. Let me know if it is not. I did see that there was a "possible TDL3 rootkit infection"...what ever that is. Thanks for your help.

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:16 AM

Posted 12 February 2012 - 01:27 PM

Hi,

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System” (If found - select delete)
  • click OK
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT



Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 trailmarkman

trailmarkman
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 12 February 2012 - 01:55 PM

Combo scan is running I did have an AVG warning pop up with a threat warning. I vaulted it and continued on. The scan is running and I received this message:

'Handle' is not recognized as an internal or external command, operable program or batch file.

There is a blinking cursor below it. The scan has been running for 8 minutes. Not sure if it got hung up or not.

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:16 AM

Posted 12 February 2012 - 01:56 PM

AVG probably ate part of ComboFix

you may need to uninstall AVG while we clean the machine


please download a fresh copy of ComboFix and run it

Edited by CatByte, 12 February 2012 - 01:57 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 trailmarkman

trailmarkman
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 12 February 2012 - 02:26 PM

I cannot access the internet to re-download the combo fix. The register doesn't have a usb conntection either so I cannot download from clean computer and transfer. any ideas?

#13 trailmarkman

trailmarkman
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 12 February 2012 - 02:27 PM

disregard. I got back on

#14 trailmarkman

trailmarkman
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 12 February 2012 - 02:38 PM

the auto scan was running and making progress. It began deleting folders and it seems to have stalled out. I have lost all icons on the desktop and system tray. is this normal?

#15 trailmarkman

trailmarkman
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 12 February 2012 - 02:50 PM

ComboFix 12-02-12.01 - POS1 02/12/2012 13:30:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1210 [GMT -6:00]
Running from: c:\documents and settings\POS1\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\mbam--setup-1.60.1.1000.exe
c:\windows\Downloaded Installations\BMP
c:\windows\Downloaded Installations\BMP\{6E378F0B-426B-4556-80D9-4BE4E3D87073}\1033.MST
c:\windows\Downloaded Installations\BMP\{6E378F0B-426B-4556-80D9-4BE4E3D87073}\BMP.msi
c:\windows\Downloaded Program Files\x64
c:\windows\Downloaded Program Files\x64\racodec.ax
c:\windows\Downloaded Program Files\x86
c:\windows\Downloaded Program Files\x86\racodec.ax
c:\windows\EventSystem.log
c:\windows\system32\Cache
c:\windows\system32\Cache\1bc2027421223d00.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\SETC6.tmp
c:\windows\system32\SETC7.tmp
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-01-12 to 2012-02-12 )))))))))))))))))))))))))))))))
.
.
2012-02-12 18:32 . 2012-02-12 18:32 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-10 19:14 . 2012-02-10 19:14 388096 ----a-r- c:\documents and settings\POS1\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-10 19:14 . 2012-02-10 19:14 -------- d-----w- c:\program files\Trend Micro
2012-02-10 17:31 . 2007-01-25 23:16 94208 ------w- c:\windows\system32\BrDctF2.dll
2012-02-10 17:31 . 2007-01-16 03:54 12288 ------w- c:\windows\system32\BrDctF2S.dll
2012-02-10 17:31 . 2007-01-15 22:09 12288 ------w- c:\windows\system32\BrDctF2L.dll
2012-02-10 17:31 . 2007-07-25 07:04 126976 ------w- c:\windows\system32\BrfxD05a.dll
2012-02-09 23:16 . 2012-02-09 23:16 -------- d-----w- c:\program files\Cisco Systems
2012-02-09 23:09 . 2012-02-09 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems
2012-02-09 22:49 . 2012-02-09 22:49 -------- d-----w- c:\program files\CCleaner
2012-02-09 15:51 . 2012-02-09 15:51 -------- d-----w- c:\windows\system32\%APPDATA%
2012-02-07 16:33 . 2012-02-07 16:33 -------- d-----w- c:\documents and settings\POS1\Local Settings\Application Data\WMTools Downloaded Files
2012-02-02 17:32 . 2012-02-02 17:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2012-02-02 17:32 . 2012-02-02 17:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-02-01 19:01 . 2012-02-01 19:01 5154304 ----a-w- c:\program files\WindowsDefender.msi
2012-01-27 18:11 . 2012-01-27 18:11 -------- d-----w- c:\windows\system32\wbem\Repository
2012-01-27 18:11 . 2012-01-27 18:11 -------- d-----w- c:\documents and settings\LocalService\Application Data\SampleView
2012-01-27 18:08 . 2012-01-27 18:09 -------- d-----w- c:\program files\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2010-05-09 16:39 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2004-08-04 08:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-04 08:00 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 08:00 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-04 08:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-04 08:00 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-01-16 16:31 1811296 ----a-w- c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll" [2012-01-16 1811296]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-12-20 320536]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-01-16 939872]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-16 928096]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^POS1^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\POS1\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2009-02-10 17:03 745472 ------r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2007-10-30 21:05 77824 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-01-13 09:47 163840 ------w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-01-13 09:47 131072 ------w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-10-12 01:01 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-10-12 01:03 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-01-13 09:46 135168 ------w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2006-03-31 21:44 761856 ------w- c:\windows\CREATOR\Remind_XP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Scheduler]
2006-07-10 17:53 872448 ------w- c:\windows\SMINST\Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetRefresh]
2003-11-20 19:01 525824 ----a-w- c:\program files\Compaq\SetRefresh\SetRefresh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 15:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
"c:\\Program Files\\Brother\\Brmfl07b\\FAXRX.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:Brother Network Scanner
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 3:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 2:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 2:48 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 2:49 AM 297168]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 4:33 AM 269520]
R2 GRBackProGRSrv.exe;GRBackPro;c:\program files\GRBakPro\GRSrv.exe [9/4/2008 11:15 AM 69632]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/9/2010 10:39 AM 652360]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [8/6/2008 12:47 AM 799256]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [9/5/2007 10:25 AM 455968]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe [1/16/2012 10:31 AM 909152]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 8:42 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 8:42 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 8:42 PM 27216]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/9/2010 10:39 AM 20464]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [1/31/2012 3:02 PM 7391072]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [4/12/2011 9:24 AM 167264]
S3 MagEpNt;MagEpNt;c:\windows\system32\drivers\magepnt.sys [10/3/2008 9:08 AM 26304]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 2:00 AM 14336]
S3 VirtDisk;XSS Virtual Disk Driver;c:\windows\SMINST\virtdisk.sys [8/6/2008 12:51 AM 57344]
S4 POSPerformanceCounters;Point Of Service Performance Counters;c:\program files\Microsoft Point Of Service\Microsoft.PointOfService.Service.exe [2/29/2008 11:25 AM 42056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-12 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
Trusted Zone: usps.com\sss-web
TCP: DhcpNameServer = 10.1.10.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-12 13:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
@Denied: ) (Everyone)
@=""
.
Completion time: 2012-02-12 13:44:39
ComboFix-quarantined-files.txt 2012-02-12 19:44
.
Pre-Run: 41,547,063,296 bytes free
Post-Run: 43,210,346,496 bytes free
.
- - End Of File - - 43050A27A427207C098A58CAE8040E40

Which TDSSkiller log do you need. There seems to be multiple files when I dollow the c: drive tree?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users