Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Rootkit (Atapi.sys file corrupted) & Google Won't Load


  • This topic is locked This topic is locked
14 replies to this topic

#1 starblazers

starblazers

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 27 February 2012 - 09:04 PM

Last night, while I was working on computer, I tried to load Google, but could not get it to load. Every other site I go to seems to work, more or less, except 411mania, which only loads the sidebar and not the main portion of the page. At first, I thought these were simply problems the two sites themselves were having, but I tested them on other computers and they load fine. Just to be on the safe side, I downloaded AVG 12 Free Edition. It found 77 threats and supposedly got rid of them. Even so, Google still refused to load. So I ran an Anti-Rootkit scan via AVG12 Free. It came across a file, system32/drivers/sfcync2.sys, that it claimed was an IRP hook \Driver\atapi IRP_MJ_INTERNAL_DEVICE_CONTROL -> sfsync02.sys +0x18B4. This was presumably caused by some file with a bunch of numbers in it located in the Documents&Settings/Owner folder. I deleted the number file twice, rebooting each time. That file is now gone, but I still get a Corrupted section atapi.sys [.text] +0x67B4, size 1 bytes reading when I do a Anti-Rootkit scan with AVG12 Free.

Basically, I just want to make sure my computer is virus and rootkit-free, and figure out why Google isn't loading up at all. I'll probably say it many times over the course of this thread, but thanks for any help and/or advice you can give me in relation to this problem. Here are the requested Logs.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Owner at 19:47:09 on 2012-02-27
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.519 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {348FE907-249E-4C65-A838-F34A193FE1D1} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [EA Core] c:\program files\electronic arts\ea downloader\Core.exe -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Windows Update Server] c:\documents and settings\owner\2d7c2e27-5772.exe
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SideWinderTrayV4] c:\progra~1\micros~2\gameco~1\common\SWTrayV4.exe
mRun: [vdrdpup] c:\windows\system32\rundll32 c:\windows\system32\vdrdpup.dll,RegisterVirtualChannel
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Lexmark X5100 Series] "c:\program files\lexmark x5100 series\lxbabmgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\regist~1.lnk - c:\program files\ubisoft\heroes of might and magic v\registration\RegistrationReminder.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\sidreg~1.lnk - d:\ATR1.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} - hxxp://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs//flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{D54A80EB-8A2C-4F37-97A7-CBE2D80B6029} : DhcpNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: wbsys.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\sa66y3vs.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff10.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff5.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff6.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff7.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff8.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff9.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13128.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg2012\Firefox4
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-5 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-5 136176]
.
=============== Created Last 30 ================
.
2012-02-27 16:35:12 -------- d--h--w- C:\$AVG
2012-02-27 16:22:05 -------- d-----w- c:\documents and settings\owner\application data\AVG2012
2012-02-27 16:20:51 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2012-02-27 16:19:40 -------- d-----w- c:\windows\system32\drivers\AVG
2012-02-27 16:19:40 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-02-27 16:19:00 -------- d-----w- c:\program files\AVG
2012-02-27 16:18:03 -------- d-----w- c:\documents and settings\all users\application data\MFAData
.
==================== Find3M ====================
.
.
============= FINISH: 19:48:08.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 28 February 2012 - 01:53 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 starblazers

starblazers
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 28 February 2012 - 01:59 PM

Hi, Gringo! Thanks for responding so quickly! :)

I ran Combofix as requested. It did ask me to install/update the Recovery Console, and I did so. Combofix did not restart my computer, however. When I opened up Firefox, Google is still not coming up at all. I didn't run AVG's Anti-Rootkit Scan on it again to see if it was still registering the Atapi.sys file corruption, because I thought it might interfere with our threat elimination process. Oh, and I now have an extra Internet Explorer icon on the desktop and when I opened Firefox, it asked me if I wanted to make Firefox the default browser (I said yes.) Other than that, it isn't/wasn't doing anything it shouldn't be doing (that I know of), but I still don't trust it. Anyway, here is the Combofix log as requested:


ComboFix 12-02-27.02 - Owner 02/28/2012 13:35:19.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.544 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner\WINDOWS
c:\windows\EventSystem.log
c:\windows\iun6002.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\Thumbs.db
c:\windows\Temp\scsE.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-28 )))))))))))))))))))))))))))))))
.
.
2012-02-27 16:35 . 2012-02-27 16:35 -------- d-----w- C:\$AVG
2012-02-27 16:22 . 2012-02-27 16:22 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG2012
2012-02-27 16:20 . 2012-02-27 16:20 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-02-27 16:19 . 2012-02-28 18:04 -------- d-----w- c:\windows\system32\drivers\AVG
2012-02-27 16:19 . 2012-02-27 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-02-27 16:19 . 2012-02-27 16:19 -------- d-----w- c:\program files\AVG
2012-02-27 16:18 . 2012-02-28 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsioReg"="CTASIO.DLL" [2003-06-20 118784]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SideWinderTrayV4"="c:\progra~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe" [2000-06-03 24650]
"vdrdpup"="c:\windows\system32\vdrdpup.dll" [2004-03-02 71680]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-07 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 86100]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Registration Heroes of Might & Magic 5.LNK - c:\program files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe [N/A]
Sid Registration.lnk - D:\ATR1.EXE [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-06-20 03:55 24576 ----a-w- c:\windows\system32\CTHELPER.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/5/2011 12:08 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/5/2011 12:08 PM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-05 17:07]
.
2012-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-05 17:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.254
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sa66y3vs.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG2012\Firefox4
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-EA Core - c:\program files\Electronic Arts\EA Downloader\Core.exe
HKCU-Run-Windows Update Server - c:\documents and settings\Owner\2d7c2e27-5772.exe
HKLM-Run-nwiz - nwiz.exe
MSConfigStartUp-AlienAutopsy - c:\program files\AlienAutopsy\Test_BS.exe
MSConfigStartUp-ICQ Lite - c:\program files\ICQLite\ICQLite.exe
AddRemove-DesertCombat - c:\windows\iun6002.exe
AddRemove-Galactic Conquest Mod - c:\program files\EA GAMES\Battlefield 1942\MODS\GCMOD\Uninst.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-28 13:39
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2052111302-1606980848-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-2052111302-1606980848-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5e,13,20,ec,7a,3d,a2,2b,5c,11,54,90,6e,32,0d,f9,55,2a,fd,ce,e1,06,ce,
15,3c,a2,46,a3,f6,60,68,ca,b6,41,12,25,cd,22,14,86,a1,e1,fc,18,69,5a,9c,9b,\
"??"=hex:c3,4b,5e,90,65,97,22,8e,d0,69,af,1a,d5,9f,81,90
.
[HKEY_LOCAL_MACHINE\software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4e,6c,b5,1c,31,50,ed,fd,32,1c,d5,4b,24,31,3d,d2,a4,d9,b7,1b,db,58,de,
3e,4c,eb,e5,76,64,66,5d,c1,f1,67,ed,69,57,12,20,a3,51,46,c5,2f,f5,98,27,6a,\
"??"=hex:36,ef,c7,68,7c,0a,ee,c7,1d,2a,c8,cb,99,5d,79,1a
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(940)
c:\program files\AlienGUIse\fastload.dll
.
Completion time: 2012-02-28 13:41:27
ComboFix-quarantined-files.txt 2012-02-28 18:41
.
Pre-Run: 222,504,349,696 bytes free
Post-Run: 231,243,616,256 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 93787FAC298872D7B603E656E92DB05E

Edited by starblazers, 28 February 2012 - 02:03 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 28 February 2012 - 07:40 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 starblazers

starblazers
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 28 February 2012 - 08:43 PM

Here are the two reports, as requested:


20:04:12.0765 0292 TDSS rootkit removing tool 2.7.15.0 Feb 27 2012 12:59:02
20:04:13.0093 0292 ============================================================
20:04:13.0093 0292 Current date / time: 2012/02/28 20:04:13.0093
20:04:13.0093 0292 SystemInfo:
20:04:13.0093 0292
20:04:13.0093 0292 OS Version: 5.1.2600 ServicePack: 2.0
20:04:13.0093 0292 Product type: Workstation
20:04:13.0093 0292 ComputerName: CYBERBLUE
20:04:13.0109 0292 UserName: Owner
20:04:13.0109 0292 Windows directory: C:\WINDOWS
20:04:13.0109 0292 System windows directory: C:\WINDOWS
20:04:13.0109 0292 Processor architecture: Intel x86
20:04:13.0109 0292 Number of processors: 2
20:04:13.0109 0292 Page size: 0x1000
20:04:13.0109 0292 Boot type: Normal boot
20:04:13.0109 0292 ============================================================
20:04:15.0187 0292 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
20:04:15.0203 0292 \Device\Harddisk0\DR0:
20:04:15.0203 0292 MBR used
20:04:15.0203 0292 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D1C4542
20:04:15.0218 0292 Initialize success
20:04:15.0218 0292 ============================================================
20:04:28.0812 4012 ============================================================
20:04:28.0812 4012 Scan started
20:04:28.0812 4012 Mode: Manual;
20:04:28.0812 4012 ============================================================
20:04:29.0140 4012 Abiosdsk - ok
20:04:29.0156 4012 abp480n5 - ok
20:04:29.0218 4012 ACPI (3b67b435fddf777c595f0ec736b03c37) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:04:29.0250 4012 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: 3b67b435fddf777c595f0ec736b03c37, Fake md5: a10c7534f7223f4a73a948967d00e69b
20:04:29.0250 4012 ACPI ( Virus.Win32.Rloader.a ) - infected
20:04:29.0250 4012 ACPI - detected Virus.Win32.Rloader.a (0)
20:04:29.0359 4012 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:04:29.0359 4012 ACPIEC - ok
20:04:29.0375 4012 adpu160m - ok
20:04:29.0453 4012 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
20:04:29.0453 4012 aec - ok
20:04:29.0500 4012 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
20:04:29.0500 4012 AFD - ok
20:04:29.0515 4012 Aha154x - ok
20:04:29.0515 4012 aic78u2 - ok
20:04:29.0531 4012 aic78xx - ok
20:04:29.0546 4012 AliIde - ok
20:04:29.0562 4012 amsint - ok
20:04:29.0578 4012 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
20:04:29.0578 4012 Arp1394 - ok
20:04:29.0593 4012 asc - ok
20:04:29.0593 4012 asc3350p - ok
20:04:29.0609 4012 asc3550 - ok
20:04:29.0625 4012 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:04:29.0625 4012 AsyncMac - ok
20:04:29.0640 4012 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:04:29.0656 4012 atapi - ok
20:04:29.0656 4012 Atdisk - ok
20:04:29.0703 4012 atksgt (5b80e84af6b02ecab72dae9afee06309) C:\WINDOWS\system32\DRIVERS\atksgt.sys
20:04:29.0703 4012 atksgt - ok
20:04:29.0734 4012 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:04:29.0734 4012 Atmarpc - ok
20:04:29.0781 4012 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:04:29.0781 4012 audstub - ok
20:04:29.0843 4012 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
20:04:29.0843 4012 AVGIDSDriver - ok
20:04:29.0859 4012 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
20:04:29.0859 4012 AVGIDSEH - ok
20:04:29.0875 4012 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
20:04:29.0875 4012 AVGIDSFilter - ok
20:04:29.0890 4012 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
20:04:29.0890 4012 AVGIDSShim - ok
20:04:29.0921 4012 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
20:04:29.0921 4012 Avgldx86 - ok
20:04:29.0953 4012 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
20:04:29.0953 4012 Avgmfx86 - ok
20:04:29.0968 4012 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
20:04:29.0968 4012 Avgrkx86 - ok
20:04:30.0000 4012 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
20:04:30.0000 4012 Avgtdix - ok
20:04:30.0093 4012 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:04:30.0093 4012 Beep - ok
20:04:30.0312 4012 catchme - ok
20:04:30.0390 4012 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:04:30.0390 4012 cbidf2k - ok
20:04:30.0406 4012 cd20xrnt - ok
20:04:30.0421 4012 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:04:30.0421 4012 Cdaudio - ok
20:04:30.0453 4012 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
20:04:30.0453 4012 Cdfs - ok
20:04:30.0515 4012 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:04:30.0515 4012 Cdrom - ok
20:04:30.0515 4012 Changer - ok
20:04:30.0531 4012 CmdIde - ok
20:04:30.0562 4012 Cpqarray - ok
20:04:30.0625 4012 ctac32k (e7610aba1f551eb77b6bb2274d194f93) C:\WINDOWS\system32\drivers\ctac32k.sys
20:04:30.0640 4012 ctac32k - ok
20:04:30.0703 4012 ctaud2k (e9ee8b502acfbd0955d081d7a1ccce24) C:\WINDOWS\system32\drivers\ctaud2k.sys
20:04:30.0703 4012 ctaud2k - ok
20:04:30.0781 4012 ctdvda2k (437f2b31ba8b6b264d38b4fe6682faec) C:\WINDOWS\system32\drivers\ctdvda2k.sys
20:04:30.0781 4012 ctdvda2k - ok
20:04:30.0828 4012 ctprxy2k (90fd30ea61c68df474a0b398f03e6d9b) C:\WINDOWS\system32\drivers\ctprxy2k.sys
20:04:30.0828 4012 ctprxy2k - ok
20:04:30.0843 4012 ctsfm2k (ab564ee9668bf9af1c3e5544cceade1d) C:\WINDOWS\system32\drivers\ctsfm2k.sys
20:04:30.0843 4012 ctsfm2k - ok
20:04:30.0859 4012 dac2w2k - ok
20:04:30.0875 4012 dac960nt - ok
20:04:30.0906 4012 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
20:04:30.0906 4012 Disk - ok
20:04:30.0984 4012 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
20:04:31.0000 4012 dmboot - ok
20:04:31.0078 4012 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
20:04:31.0078 4012 dmio - ok
20:04:31.0109 4012 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:04:31.0109 4012 dmload - ok
20:04:31.0140 4012 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
20:04:31.0156 4012 DMusic - ok
20:04:31.0156 4012 dpti2o - ok
20:04:31.0203 4012 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
20:04:31.0203 4012 drmkaud - ok
20:04:31.0218 4012 emupia (8b2303cf5fdc7e97a975bd1069cd99d6) C:\WINDOWS\system32\drivers\emupia2k.sys
20:04:31.0218 4012 emupia - ok
20:04:31.0281 4012 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
20:04:31.0281 4012 Fastfat - ok
20:04:31.0343 4012 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:04:31.0343 4012 Fdc - ok
20:04:31.0390 4012 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
20:04:31.0390 4012 Fips - ok
20:04:31.0437 4012 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:04:31.0437 4012 Flpydisk - ok
20:04:31.0500 4012 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
20:04:31.0500 4012 FltMgr - ok
20:04:31.0500 4012 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:04:31.0515 4012 Fs_Rec - ok
20:04:31.0546 4012 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:04:31.0546 4012 Ftdisk - ok
20:04:31.0578 4012 gameenum (5f92fd09e5610a5995da7d775eadcd12) C:\WINDOWS\system32\DRIVERS\gameenum.sys
20:04:31.0578 4012 gameenum - ok
20:04:31.0609 4012 GcKernel (97983db98129efe4e2d215ce350a7546) C:\WINDOWS\system32\DRIVERS\GcKernel.sys
20:04:31.0609 4012 GcKernel - ok
20:04:31.0640 4012 GEARAspiWDM (32a73a8952580b284a47290adb62032a) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
20:04:31.0640 4012 GEARAspiWDM - ok
20:04:31.0671 4012 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:04:31.0671 4012 Gpc - ok
20:04:31.0734 4012 ha10kx2k (e64325ba1ede4a2551a0be186c61d4d7) C:\WINDOWS\system32\drivers\ha10kx2k.sys
20:04:31.0734 4012 ha10kx2k - ok
20:04:31.0765 4012 hap16v2k (a28be5017b423a783dd0d0a4cd3b48f5) C:\WINDOWS\system32\drivers\hap16v2k.sys
20:04:31.0765 4012 hap16v2k - ok
20:04:31.0781 4012 HIDSwvd (bd205320308fb41c88a4049a2d1764b4) C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
20:04:31.0781 4012 HIDSwvd - ok
20:04:31.0828 4012 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:04:31.0828 4012 HidUsb - ok
20:04:31.0843 4012 hpn - ok
20:04:31.0906 4012 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
20:04:31.0906 4012 HTTP - ok
20:04:31.0921 4012 i2omgmt - ok
20:04:31.0937 4012 i2omp - ok
20:04:31.0968 4012 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:04:31.0968 4012 i8042prt - ok
20:04:31.0984 4012 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:04:31.0984 4012 Imapi - ok
20:04:32.0000 4012 ini910u - ok
20:04:32.0046 4012 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
20:04:32.0046 4012 IntelIde - ok
20:04:32.0093 4012 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:04:32.0093 4012 intelppm - ok
20:04:32.0125 4012 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
20:04:32.0125 4012 Ip6Fw - ok
20:04:32.0140 4012 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:04:32.0140 4012 IpFilterDriver - ok
20:04:32.0140 4012 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:04:32.0156 4012 IpInIp - ok
20:04:32.0218 4012 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:04:32.0234 4012 IpNat - ok
20:04:32.0281 4012 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:04:32.0281 4012 IPSec - ok
20:04:32.0312 4012 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:04:32.0312 4012 IRENUM - ok
20:04:32.0343 4012 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:04:32.0343 4012 isapnp - ok
20:04:32.0359 4012 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:04:32.0359 4012 Kbdclass - ok
20:04:32.0390 4012 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:04:32.0406 4012 kbdhid - ok
20:04:32.0453 4012 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
20:04:32.0453 4012 kmixer - ok
20:04:32.0484 4012 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
20:04:32.0484 4012 KSecDD - ok
20:04:32.0500 4012 lbrtfdc - ok
20:04:32.0546 4012 lirsgt (975b6cf65f44e95883f3855bae8cecaf) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
20:04:32.0546 4012 lirsgt - ok
20:04:32.0578 4012 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:04:32.0578 4012 mnmdd - ok
20:04:32.0593 4012 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
20:04:32.0593 4012 Modem - ok
20:04:32.0625 4012 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:04:32.0625 4012 Mouclass - ok
20:04:32.0687 4012 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:04:32.0687 4012 mouhid - ok
20:04:32.0703 4012 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
20:04:32.0703 4012 MountMgr - ok
20:04:32.0703 4012 mraid35x - ok
20:04:32.0750 4012 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:04:32.0750 4012 MRxDAV - ok
20:04:32.0812 4012 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:04:32.0812 4012 MRxSmb - ok
20:04:32.0843 4012 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
20:04:32.0843 4012 Msfs - ok
20:04:32.0875 4012 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:04:32.0875 4012 MSKSSRV - ok
20:04:32.0890 4012 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:04:32.0890 4012 MSPCLOCK - ok
20:04:32.0890 4012 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
20:04:32.0890 4012 MSPQM - ok
20:04:32.0906 4012 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:04:32.0906 4012 mssmbios - ok
20:04:32.0937 4012 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
20:04:32.0937 4012 Mup - ok
20:04:33.0000 4012 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
20:04:33.0000 4012 NDIS - ok
20:04:33.0046 4012 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:04:33.0046 4012 NdisTapi - ok
20:04:33.0062 4012 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:04:33.0062 4012 Ndisuio - ok
20:04:33.0093 4012 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:04:33.0093 4012 NdisWan - ok
20:04:33.0109 4012 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
20:04:33.0109 4012 NDProxy - ok
20:04:33.0140 4012 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:04:33.0140 4012 NetBIOS - ok
20:04:33.0156 4012 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:04:33.0171 4012 NetBT - ok
20:04:33.0218 4012 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
20:04:33.0218 4012 NIC1394 - ok
20:04:33.0234 4012 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
20:04:33.0234 4012 Npfs - ok
20:04:33.0421 4012 nsysaudm - ok
20:04:33.0500 4012 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
20:04:33.0500 4012 Ntfs - ok
20:04:33.0562 4012 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:04:33.0562 4012 Null - ok
20:04:33.0984 4012 nv (30913cbf518396912e54c2c9f1dd0f09) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:04:34.0031 4012 nv - ok
20:04:34.0093 4012 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:04:34.0093 4012 NwlnkFlt - ok
20:04:34.0093 4012 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:04:34.0093 4012 NwlnkFwd - ok
20:04:34.0140 4012 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
20:04:34.0140 4012 ohci1394 - ok
20:04:34.0187 4012 ossrv (8db15d0105d92c2fbca5e83cd882a477) C:\WINDOWS\system32\drivers\ctoss2k.sys
20:04:34.0187 4012 ossrv - ok
20:04:34.0218 4012 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
20:04:34.0218 4012 Parport - ok
20:04:34.0250 4012 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
20:04:34.0265 4012 PartMgr - ok
20:04:34.0296 4012 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:04:34.0296 4012 ParVdm - ok
20:04:34.0328 4012 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
20:04:34.0328 4012 PCI - ok
20:04:34.0343 4012 PCIDump - ok
20:04:34.0343 4012 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:04:34.0359 4012 PCIIde - ok
20:04:34.0375 4012 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:04:34.0375 4012 Pcmcia - ok
20:04:34.0390 4012 PDCOMP - ok
20:04:34.0406 4012 PDFRAME - ok
20:04:34.0406 4012 PDRELI - ok
20:04:34.0421 4012 PDRFRAME - ok
20:04:34.0437 4012 perc2 - ok
20:04:34.0437 4012 perc2hib - ok
20:04:34.0500 4012 PfModNT (c8a2d6ff660ac601b7bb9a9b16a5c25e) C:\WINDOWS\system32\drivers\PfModNT.sys
20:04:34.0500 4012 PfModNT - ok
20:04:34.0531 4012 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:04:34.0531 4012 PptpMiniport - ok
20:04:34.0578 4012 prodrv06 (18d9789a4664bf417eea944d2776091a) C:\WINDOWS\System32\drivers\prodrv06.sys
20:04:34.0578 4012 prodrv06 - ok
20:04:34.0593 4012 prohlp02 (8cc9671a7ed2902e747ee0892e1c8575) C:\WINDOWS\system32\drivers\prohlp02.sys
20:04:34.0593 4012 prohlp02 - ok
20:04:34.0609 4012 prosync1 - ok
20:04:34.0625 4012 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
20:04:34.0625 4012 PSched - ok
20:04:34.0640 4012 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:04:34.0656 4012 Ptilink - ok
20:04:34.0656 4012 ql1080 - ok
20:04:34.0671 4012 Ql10wnt - ok
20:04:34.0687 4012 ql12160 - ok
20:04:34.0687 4012 ql1240 - ok
20:04:34.0703 4012 ql1280 - ok
20:04:34.0734 4012 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:04:34.0734 4012 RasAcd - ok
20:04:34.0750 4012 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:04:34.0750 4012 Rasl2tp - ok
20:04:34.0765 4012 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:04:34.0765 4012 RasPppoe - ok
20:04:34.0781 4012 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:04:34.0781 4012 Raspti - ok
20:04:34.0843 4012 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:04:34.0843 4012 Rdbss - ok
20:04:34.0875 4012 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:04:34.0875 4012 RDPCDD - ok
20:04:34.0921 4012 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
20:04:34.0921 4012 RDPWD - ok
20:04:34.0953 4012 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:04:34.0953 4012 redbook - ok
20:04:35.0015 4012 Secdrv (07f7f501ad50de2ba2d5842d9b6d6155) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:04:35.0015 4012 Secdrv - ok
20:04:35.0031 4012 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:04:35.0031 4012 serenum - ok
20:04:35.0046 4012 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
20:04:35.0046 4012 Serial - ok
20:04:35.0109 4012 sfdrv01 (9e7dee11fd5a4355941a45f13c0ed59a) C:\WINDOWS\system32\drivers\sfdrv01.sys
20:04:35.0109 4012 sfdrv01 - ok
20:04:35.0140 4012 sfhlp01 (462aee0ea0481ea8bd45cac876a4ccc4) C:\WINDOWS\system32\drivers\sfhlp01.sys
20:04:35.0140 4012 sfhlp01 - ok
20:04:35.0156 4012 sfhlp02 (ecefb59d2206d281e6d317af0ea0d8bd) C:\WINDOWS\system32\drivers\sfhlp02.sys
20:04:35.0156 4012 sfhlp02 - ok
20:04:35.0218 4012 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:04:35.0218 4012 Sfloppy - ok
20:04:35.0218 4012 sfsync02 - ok
20:04:35.0250 4012 sfvfs02 (d5a7e09d2c6a702809e49190d52adc9f) C:\WINDOWS\system32\drivers\sfvfs02.sys
20:04:35.0250 4012 sfvfs02 - ok
20:04:35.0281 4012 Simbad - ok
20:04:35.0328 4012 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
20:04:35.0343 4012 SONYPVU1 - ok
20:04:35.0437 4012 sony_ssm.sys - ok
20:04:35.0468 4012 Sparrow - ok
20:04:35.0531 4012 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
20:04:35.0531 4012 splitter - ok
20:04:35.0562 4012 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
20:04:35.0562 4012 sr - ok
20:04:35.0625 4012 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
20:04:35.0625 4012 Srv - ok
20:04:35.0687 4012 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:04:35.0687 4012 swenum - ok
20:04:35.0718 4012 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
20:04:35.0718 4012 swmidi - ok
20:04:35.0734 4012 symc810 - ok
20:04:35.0750 4012 symc8xx - ok
20:04:35.0765 4012 sym_hi - ok
20:04:35.0765 4012 sym_u3 - ok
20:04:35.0812 4012 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
20:04:35.0812 4012 sysaudio - ok
20:04:35.0875 4012 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:04:35.0875 4012 Tcpip - ok
20:04:35.0937 4012 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:04:35.0937 4012 TDPIPE - ok
20:04:35.0953 4012 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
20:04:35.0953 4012 TDTCP - ok
20:04:36.0000 4012 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:04:36.0000 4012 TermDD - ok
20:04:36.0015 4012 TosIde - ok
20:04:36.0062 4012 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
20:04:36.0062 4012 Udfs - ok
20:04:36.0078 4012 ultra - ok
20:04:36.0109 4012 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
20:04:36.0109 4012 Update - ok
20:04:36.0156 4012 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:04:36.0156 4012 usbccgp - ok
20:04:36.0218 4012 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:04:36.0218 4012 usbehci - ok
20:04:36.0234 4012 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:04:36.0234 4012 usbhub - ok
20:04:36.0296 4012 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:04:36.0296 4012 usbprint - ok
20:04:36.0343 4012 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:04:36.0343 4012 usbscan - ok
20:04:36.0390 4012 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:04:36.0390 4012 USBSTOR - ok
20:04:36.0453 4012 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:04:36.0453 4012 usbuhci - ok
20:04:36.0500 4012 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
20:04:36.0500 4012 VgaSave - ok
20:04:36.0515 4012 ViaIde - ok
20:04:36.0562 4012 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
20:04:36.0562 4012 VolSnap - ok
20:04:36.0609 4012 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:04:36.0609 4012 Wanarp - ok
20:04:36.0625 4012 WDICA - ok
20:04:36.0687 4012 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
20:04:36.0687 4012 wdmaud - ok
20:04:36.0718 4012 WmBEnum (bc3ecbcb40147bdae3ad2fd0b4b346d8) C:\WINDOWS\system32\drivers\WmBEnum.sys
20:04:36.0734 4012 WmBEnum - ok
20:04:36.0765 4012 WmFilter (19f9881d8b3484fedb605d0216876898) C:\WINDOWS\system32\drivers\WmFilter.sys
20:04:36.0765 4012 WmFilter - ok
20:04:36.0781 4012 WmVirHid (7a51545a6409a25eedbdbd97d019e8cc) C:\WINDOWS\system32\drivers\WmVirHid.sys
20:04:36.0781 4012 WmVirHid - ok
20:04:36.0796 4012 WmXlCore (1f083b3bc73017e60c3ca85cf4a70753) C:\WINDOWS\system32\drivers\WmXlCore.sys
20:04:36.0796 4012 WmXlCore - ok
20:04:36.0828 4012 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
20:04:36.0828 4012 WS2IFSL - ok
20:04:36.0875 4012 yukonwxp (aaafc7b7680ed5a31ebae3354d042e2e) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
20:04:36.0875 4012 yukonwxp - ok
20:04:36.0906 4012 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:04:37.0046 4012 \Device\Harddisk0\DR0 - ok
20:04:37.0062 4012 Boot (0x1200) (8a039fe80170daf61edd8743349f7b06) \Device\Harddisk0\DR0\Partition0
20:04:37.0062 4012 \Device\Harddisk0\DR0\Partition0 - ok
20:04:37.0062 4012 ============================================================
20:04:37.0062 4012 Scan finished
20:04:37.0062 4012 ============================================================
20:04:37.0062 3900 Detected object count: 1
20:04:37.0062 3900 Actual detected object count: 1
20:04:51.0937 3900 C:\WINDOWS\system32\DRIVERS\ACPI.sys - copied to quarantine
20:04:52.0281 3900 Backup copy found, using it..
20:04:52.0312 3900 C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured on reboot
20:04:52.0312 3900 ACPI ( Virus.Win32.Rloader.a ) - User select action: Cure
20:04:56.0890 2176 Deinitialize success



aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-28 20:09:54
-----------------------------
20:09:54.781 OS Version: Windows 5.1.2600 Service Pack 2
20:09:54.781 Number of processors: 2 586 0x304
20:09:54.781 ComputerName: CYBERBLUE UserName: Owner
20:09:55.515 Initialize success
20:18:51.046 AVAST engine defs: 12022802
20:20:40.515 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
20:20:40.515 Disk 0 Vendor: WDC_WD2500JD-22HBB0 08.02D08 Size: 238475MB BusType: 3
20:20:40.546 Disk 0 MBR read successfully
20:20:40.546 Disk 0 MBR scan
20:20:40.593 Disk 0 Windows XP default MBR code
20:20:40.593 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238472 MB offset 63
20:20:40.609 Disk 0 scanning sectors +488392065
20:20:40.671 Disk 0 scanning C:\WINDOWS\system32\drivers
20:20:47.578 Service scanning
20:21:02.609 Modules scanning
20:21:26.531 Disk 0 trace - called modules:
20:21:26.546 ntoskrnl.exe CLASSPNP.SYS disk.sys tskC9.tmp hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:21:26.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f22ab8]
20:21:26.578 3 CLASSPNP.SYS[f757805b] -> nt!IofCallDriver -> \Device\0000007b[0x86f51b28]
20:21:26.578 5 tskC9.tmp[f74b7620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x86f2a940]
20:21:26.921 AVAST engine scan C:\WINDOWS
20:21:48.593 AVAST engine scan C:\WINDOWS\system32
20:25:20.531 AVAST engine scan C:\WINDOWS\system32\drivers
20:25:33.656 AVAST engine scan C:\Documents and Settings\Owner
20:33:11.187 AVAST engine scan C:\Documents and Settings\All Users
20:33:54.265 Scan finished successfully
20:39:27.468 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
20:39:27.484 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 29 February 2012 - 08:45 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 starblazers

starblazers
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 29 February 2012 - 12:06 PM

Ran the script and Combofix with no problem, and I even remembered to temporarily disable AVG before doing so. An interesting development, however. Last night, for some reason, Google started loading again. Seemingly a good thing, but AVG also detected a threat at 10:30pm last night my time. It was Trojan Horse Generic 27.YUA according to AVG. I placed it in the AVG Virus Vault. Again, I haven't run any sort of scan with AVG since posting my first post in this topic, it just detected it on its own. All of this was before I ran the script just a few minutes ago. The computer appears to be behaving itself at the moment and Google is loading and everything as it did before all this started. But it does have me wondering if the Generic 27 Trojan has been completely eliminated by this latest Script/Combofix we just did. Anyway, that's the state of things at the moment. Here now is the Combofix log you requested.

ComboFix 12-02-27.02 - Owner 02/29/2012 11:41:36.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.670 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-29 )))))))))))))))))))))))))))))))
.
.
2012-02-29 01:04 . 2012-02-29 01:04 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-27 16:35 . 2012-02-27 16:35 -------- d-----w- C:\$AVG
2012-02-27 16:22 . 2012-02-27 16:22 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG2012
2012-02-27 16:20 . 2012-02-27 16:20 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-02-27 16:19 . 2012-02-29 14:35 -------- d-----w- c:\windows\system32\drivers\AVG
2012-02-27 16:19 . 2012-02-27 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-02-27 16:19 . 2012-02-27 16:19 -------- d-----w- c:\program files\AVG
2012-02-27 16:18 . 2012-02-29 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-29 01:05 . 2004-08-03 23:07 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-28_18.39.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-29 14:29 . 2012-02-29 14:29 16384 c:\windows\Temp\Perflib_Perfdata_1bc.dat
+ 2005-02-22 17:49 . 2012-02-29 01:10 71060 c:\windows\system32\perfc009.dat
- 2005-02-22 17:49 . 2011-11-06 14:08 71060 c:\windows\system32\perfc009.dat
+ 2005-02-22 17:49 . 2012-02-29 01:10 441124 c:\windows\system32\perfh009.dat
- 2005-02-22 17:49 . 2011-11-06 14:08 441124 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsioReg"="CTASIO.DLL" [2003-06-20 118784]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SideWinderTrayV4"="c:\progra~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe" [2000-06-03 24650]
"vdrdpup"="c:\windows\system32\vdrdpup.dll" [2004-03-02 71680]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-07 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 86100]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Registration Heroes of Might & Magic 5.LNK - c:\program files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe [N/A]
Sid Registration.lnk - D:\ATR1.EXE [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-06-20 03:55 24576 ----a-w- c:\windows\system32\CTHELPER.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/5/2011 12:08 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/5/2011 12:08 PM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-05 17:07]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-05 17:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.254
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sa66y3vs.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG2012\Firefox4
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-51985215.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-29 11:46
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2052111302-1606980848-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-2052111302-1606980848-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5e,13,20,ec,7a,3d,a2,2b,5c,11,54,90,6e,32,0d,f9,55,2a,fd,ce,e1,06,ce,
15,3c,a2,46,a3,f6,60,68,ca,b6,41,12,25,cd,22,14,86,a1,e1,fc,18,69,5a,9c,9b,\
"??"=hex:c3,4b,5e,90,65,97,22,8e,d0,69,af,1a,d5,9f,81,90
.
[HKEY_LOCAL_MACHINE\software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4e,6c,b5,1c,31,50,ed,fd,32,1c,d5,4b,24,31,3d,d2,a4,d9,b7,1b,db,58,de,
3e,4c,eb,e5,76,64,66,5d,c1,f1,67,ed,69,57,12,20,a3,51,46,c5,2f,f5,98,27,6a,\
"??"=hex:36,ef,c7,68,7c,0a,ee,c7,1d,2a,c8,cb,99,5d,79,1a
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(936)
c:\program files\AlienGUIse\fastload.dll
.
- - - - - - - > 'explorer.exe'(1956)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-02-29 11:47:58
ComboFix-quarantined-files.txt 2012-02-29 16:47
ComboFix2.txt 2012-02-28 18:41
.
Pre-Run: 231,159,087,104 bytes free
Post-Run: 231,293,153,280 bytes free
.
- - End Of File - - A5630F6C9883E6E15A597F40FBF2C204

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 29 February 2012 - 12:14 PM

Hello

Do you have a report or know the location it was found



These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Adobe Reader 9.4.0
Java™ 6 Update 21
Viewpoint Media Player
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close


TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 starblazers

starblazers
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 29 February 2012 - 09:31 PM

Okay, according to the Virus Vault History for AVG, the Trojan horse Generic27.YUA was located at c:\System Volume Information\_restore{2FA67607-E466-4216-A162-86D8CC409EFF}\RP1154\A0158212.exe

After checking that info, I did all the new steps you requested. Should I also go ahead and empty the Virus Vault now to get rid of the nasties stored in there? Anyway, the computer is acting normally right now as far as I can tell. Here are the logs from MBAM and Hijackthis, as requested.


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.29.07

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: CYBERBLUE [administrator]

2/29/2012 9:05:15 PM
mbam-log-2012-02-29 (21-05-15).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 168407
Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\system32\H@tKeysH@@k.DLL (Trojan.Agent) -> Quarantined and deleted successfully.

(end)



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:20:17 PM, on 2/29/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - Startup: Registration Heroes of Might & Magic 5.LNK = C:\Program Files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe
O4 - Startup: Sid Registration.lnk = D:\ATR1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\wbsys.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7118 bytes

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 01 March 2012 - 01:12 PM

Hello


That is great news - that is system restore and we will be cleaning that out soon and yes you can remove it from the vault


These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
      O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
      O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
      O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
      O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 starblazers

starblazers
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 01 March 2012 - 09:13 PM

I removed the Unneeded Startup Entries and then ran the ESET Scan. This is the log item it gave me when I clicked the Copy to Keyboard button. Seems a bit short after the lengthy ones we did earlier, but here you go:

C:\TDSSKiller_Quarantine\28.02.2012_20.04.13\rtkt0000\svc0000\tsk0000.dta Win32/Agent.SUC.Gen trojan

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 01 March 2012 - 09:36 PM

Hello

I like short!!

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 starblazers

starblazers
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 02 March 2012 - 05:32 PM

I think that covers it. The computer is working normally again now. Thanks for your help, it is greatly appreciated!!! :)

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 02 March 2012 - 09:05 PM

you are more than welcome and glad I was able to help


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 05 March 2012 - 01:39 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users