Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alureon F


  • This topic is locked This topic is locked
45 replies to this topic

#1 novice1958

novice1958

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 01 March 2012 - 03:44 AM

My system is 32Bit XP Pro and Avast keeps saying not long after startup that I have been infected MBR:\\.\PHYSICALDRIVE0\Partition2 MBR:Alureon F

It advises me to "Delete it" which I do, then advises me to run a Bootscan which I do. It doesn't find anything in the Bootscan but when the sysytem starts up again it's there again, same messages.

I've tried the latest TDSSKiller with Defogger as well and found nothing.

How do I get rid of it please?

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 PM

Posted 01 March 2012 - 04:04 PM

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 novice1958

novice1958
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 03 March 2012 - 05:19 PM

Sorry for the delay, I didn't receive any email notification of a reply. Will check account settings and change if possible.

Did as you suggested but couldn't run DDS through to completion. It would load up the dialogue box and start and display hashes # across the first line under the initial instructions/info until it got to about 3/4 the way across. Then its cursor would just blink in the next line under the hashes, nothing more, and I also noticed that the pc's clock stopped at that time.

This happened on every occasion I tried and I couldn't get anything else happening or close the DDS dialogue box, even though the mouse pointer would move around ok. I had to hit the pc's restart button to power up and get going again.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:12 AM

Posted 04 March 2012 - 12:06 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


The first thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these steps


Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in

    %TEMP%\smtmp\*.* /s

  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.


information and logs:

  • In your next post I need the following

  • .logs from OTL
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 novice1958

novice1958
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 04 March 2012 - 01:36 AM

OTL logfile created on: 3/4/2012 5:19:10 PM - Run 1
OTL by OldTimer - Version 3.2.35.0 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.48 Mb Total Physical Memory | 440.42 Mb Available Physical Memory | 43.37% Memory free
2.38 Gb Paging File | 1.82 Gb Available in Paging File | 76.45% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 31.20 Gb Free Space | 41.87% Space Free | Partition Type: NTFS

Computer Name: USER-7BCF7E5992 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\user\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files\SpyShelter Personal Free\SpyShelter.exe ()
PRC - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe (Sony Ericsson)
PRC - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanionInfo.exe ()
PRC - C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe (Crawler.com)
PRC - C:\Program Files\Spyware Terminator\sp_rsser.exe (Crawler.com)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\CyberScrub Privacy Suite\CSRiskMon.exe (CyberScrub LLC)
PRC - C:\Program Files\WordWeb\wweb32.exe (WordWeb Software)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe (Hewlett-Packard Co.)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll ()
MOD - C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll ()
MOD - C:\Program Files\Alwil Software\Avast5\defs\12030301\algo.dll ()
MOD - C:\Program Files\SpyShelter Personal Free\klhelper.dll ()
MOD - C:\Program Files\SpyShelter Personal Free\SpyShelter.exe ()
MOD - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\MExplorer.dll ()
MOD - C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL ()
MOD - C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll ()
MOD - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanionInfo.exe ()
MOD - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\TMonitorAPI.dll ()
MOD - C:\Program Files\WordWeb\WUCNT.dll ()
MOD - C:\Program Files\OpenOffice.org 3\program\libxml2.dll ()
MOD - c:\windows\assembly\gac\hpqisrtb\4.0.0.0__a53cf5803f4c3827\hpqisrtb.dll ()
MOD - c:\windows\assembly\gac\hpqbakup\3.0.0.0__a53cf5803f4c3827\hpqbakup.dll ()
MOD - c:\windows\assembly\gac\hpqcprsc\3.0.0.0__a53cf5803f4c3827\hpqcprsc.dll ()
MOD - c:\windows\assembly\gac\hpqedit\3.0.0.0__a53cf5803f4c3827\hpqedit.dll ()
MOD - c:\windows\assembly\gac\hpqvideo\3.0.0.0__a53cf5803f4c3827\hpqvideo.dll ()
MOD - c:\windows\assembly\gac\interop.hprblog\3.0.0.0__a53cf5803f4c3827\interop.hprblog.dll ()
MOD - c:\windows\assembly\gac\hpqovskn\3.0.0.0__a53cf5803f4c3827\hpqovskn.dll ()
MOD - c:\windows\assembly\gac\interop.hpqvideo\3.0.0.0__a53cf5803f4c3827\interop.hpqvideo.dll ()
MOD - c:\windows\assembly\gac\interop.hpqimgr\3.0.0.0__a53cf5803f4c3827\interop.hpqimgr.dll ()
MOD - c:\windows\assembly\gac\hpqcc2\3.0.0.0__a53cf5803f4c3827\hpqcc2.dll ()
MOD - c:\windows\assembly\gac\hpqimvlt\3.0.0.0__a53cf5803f4c3827\hpqimvlt.dll ()
MOD - c:\windows\assembly\gac\hpqtray\4.0.0.0__a53cf5803f4c3827\hpqtray.dll ()
MOD - c:\windows\assembly\gac\hpqimgrc\4.0.0.0__a53cf5803f4c3827\hpqimgrc.dll ()
MOD - c:\windows\assembly\gac\hpqglutl\4.0.0.0__a53cf5803f4c3827\hpqglutl.dll ()
MOD - c:\windows\assembly\gac\hpqimlib\3.0.0.0__a53cf5803f4c3827\hpqimlib.dll ()
MOD - c:\windows\assembly\gac\hpqthumb\3.0.0.0__a53cf5803f4c3827\hpqthumb.dll ()
MOD - c:\windows\assembly\gac\hpqfmrsc\4.0.0.0__a53cf5803f4c3827\hpqfmrsc.dll ()
MOD - c:\windows\assembly\gac\hpqasset\4.0.0.0__a53cf5803f4c3827\hpqasset.dll ()
MOD - c:\windows\assembly\gac\hpqiface\4.0.0.0__a53cf5803f4c3827\hpqiface.dll ()
MOD - c:\windows\assembly\gac\hpqprrsc\4.0.0.0__a53cf5803f4c3827\hpqprrsc.dll ()
MOD - c:\windows\assembly\gac\lead.wrapper\13.0.0.113__9cf889f53ea9b907\lead.wrapper.dll ()
MOD - c:\windows\assembly\gac\lead.drawing.imaging.imageprocessing\13.0.0.113__9cf889f53ea9b907\lead.drawing.imaging.imageprocessing.dll ()
MOD - c:\windows\assembly\gac\lead.drawing\13.0.0.113__9cf889f53ea9b907\lead.drawing.dll ()
MOD - c:\windows\assembly\gac\lead\13.0.0.113__9cf889f53ea9b907\lead.dll ()
MOD - c:\windows\assembly\gac\lead.windows.forms.drawingcontainer\13.0.0.113__9cf889f53ea9b907\lead.windows.forms.drawingcontainer.dll ()
MOD - c:\windows\assembly\gac\hpqntrop\4.0.0.0__a53cf5803f4c3827\hpqntrop.dll ()
MOD - c:\windows\assembly\gac\hpqmdmr\4.0.0.0__a53cf5803f4c3827\hpqmdmr.dll ()
MOD - c:\windows\assembly\gac\lead.windows.forms\13.0.0.113__9cf889f53ea9b907\lead.windows.forms.dll ()
MOD - c:\windows\assembly\gac\interop.hpqcxm08\3.0.0.0__a53cf5803f4c3827\interop.hpqcxm08.dll ()
MOD - c:\windows\assembly\gac\hpqutils\4.0.0.0__a53cf5803f4c3827\hpqutils.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_2121bf0c\system.xml.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_50536370\system.windows.forms.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_e631d3ed\system.drawing.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_dcaf5fa6\system.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_8036170a\mscorlib.dll ()
MOD - c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll ()
MOD - c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll ()
MOD - c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll ()
MOD - c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll ()
MOD - c:\windows\assembly\gac\accessibility\1.0.5000.0__b03f5f7f11d50a3a\accessibility.dll ()
MOD - C:\Program Files\Sygate\SPF\SyLink.dll ()
MOD - C:\Program Files\Sygate\SPF\tse.dll ()
MOD - C:\Program Files\Sygate\SPF\SpNet.dll ()


========== Win32 Services (SafeList) ==========

SRV - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com)
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (Sony Ericsson PCCompanion) -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe (Avanquest Software)
SRV - (sp_rssrv) -- C:\Program Files\Spyware Terminator\sp_rsser.exe (Crawler.com)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (SmcService) -- C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (cerc6) -- File not found
DRV - (aswSnx) -- C:\WINDOWS\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswMon2) -- C:\WINDOWS\System32\drivers\aswmon2.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (Aavmker4) -- C:\WINDOWS\System32\drivers\aavmker4.sys (AVAST Software)
DRV - (Spyshelter) -- C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (s1039mdm) -- C:\WINDOWS\system32\drivers\s1039mdm.sys (MCCI Corporation)
DRV - (s1039unic) Sony Ericsson Device 1039 USB Ethernet Emulation (WDM) -- C:\WINDOWS\system32\drivers\s1039unic.sys (MCCI Corporation)
DRV - (s1039mgmt) Sony Ericsson Device 1039 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\s1039mgmt.sys (MCCI Corporation)
DRV - (s1039obex) -- C:\WINDOWS\system32\drivers\s1039obex.sys (MCCI Corporation)
DRV - (s1039bus) Sony Ericsson Device 1039 driver (WDM) -- C:\WINDOWS\system32\drivers\s1039bus.sys (MCCI Corporation)
DRV - (s1039nd5) Sony Ericsson Device 1039 USB Ethernet Emulation (NDIS) -- C:\WINDOWS\system32\drivers\s1039nd5.sys (MCCI Corporation)
DRV - (s1039mdfl) -- C:\WINDOWS\system32\drivers\s1039mdfl.sys (MCCI Corporation)
DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell)
DRV - (Monfilt) -- C:\WINDOWS\system32\drivers\Monfilt.sys (Creative Technology Ltd.)
DRV - (Ambfilt) -- C:\WINDOWS\system32\drivers\Ambfilt.sys (Creative)
DRV - (vmmouse) -- C:\WINDOWS\system32\drivers\vmmouse.sys (VMware, Inc.)
DRV - (sscdmdm) -- C:\WINDOWS\system32\drivers\sscdmdm.sys (MCCI Corporation)
DRV - (sscdmdfl) -- C:\WINDOWS\system32\drivers\sscdmdfl.sys (MCCI Corporation)
DRV - (sscdbus) SAMSUNG USB Composite Device driver (WDM) -- C:\WINDOWS\system32\drivers\sscdbus.sys (MCCI Corporation)
DRV - (StarOpen) -- C:\WINDOWS\System32\drivers\StarOpen.sys ()
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (sp_rsdrv2) -- C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ()
DRV - (wg6n) -- C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys (Sygate Technologies, Inc.)
DRV - (wg5n) -- C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys (Sygate Technologies, Inc.)
DRV - (wg4n) -- C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys (Sygate Technologies, Inc.)
DRV - (wg3n) -- C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys (Sygate Technologies, Inc.)
DRV - (wpsdrvnt) -- C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Sygate Technologies, Inc.)
DRV - (Teefer) -- C:\WINDOWS\SYSTEM32\Drivers\Teefer.sys (Sygate Technologies, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1085031214-1004336348-1606980848-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\..\SearchScopes,DefaultScope = {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
IE - HKU\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://www.mystart.com/search_w.php?type=webblog1_1msch&fr=chr-vmn&q={searchTerms}&ei=UTF-8
IE - HKU\S-1-5-21-1085031214-1004336348-1606980848-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://pepperberry.net.au/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {35379F86-8CCB-4724-AE33-4278DE266C70}:1.0.5
FF - prefs.js..network.proxy.type: 4

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\PDF-XChange PDF Viewer\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\PDF-XChange PDF Viewer\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\PDF-XChange PDF Viewer\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\wrc@avast.com: C:\Program Files\Alwil Software\Avast5\WebRep\FF [2012/02/26 20:42:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/11 11:21:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/21 09:49:27 | 000,000,000 | ---D | M]

[2006/01/01 21:31:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2011/09/19 12:49:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\qepklykt.default\extensions
[2011/08/11 18:25:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\qepklykt.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/10/11 11:21:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2006/01/01 20:49:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2012/02/26 20:42:49 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST5\WEBREP\FF
[2006/01/02 11:00:30 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/09/29 18:09:46 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/11/14 08:01:12 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/12/29 00:51:09 | 000,170,080 | ---- | M] (Tracker Software Products Ltd.) -- C:\Program Files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
[2011/09/29 12:30:22 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/09/29 12:16:42 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/09/29 12:30:22 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/09/29 12:30:22 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/09/29 12:30:22 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2008/04/14 23:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O3 - HKU\S-1-5-21-1085031214-1004336348-1606980848-1003\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O4 - HKLM..\Run: [avast] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [SmcService] C:\Program Files\Sygate\SPF\Smc.exe (Sygate Technologies, Inc.)
O4 - HKLM..\Run: [SpyShelter] C:\Program Files\SpyShelter Personal Free\SpyShelter.exe ()
O4 - HKLM..\Run: [SpywareTerminator] C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe (Crawler.com)
O4 - HKLM..\Run: [WordWeb] C:\Program Files\WordWeb\wweb32.exe (WordWeb Software)
O4 - HKU\S-1-5-21-1085031214-1004336348-1606980848-1003..\Run: [Privacy Suite RiskMonitor] C:\Program Files\CyberScrub Privacy Suite\Launch.exe ()
O4 - HKU\S-1-5-21-1085031214-1004336348-1606980848-1003..\Run: [Sony Ericsson PC Companion] C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe (Sony Ericsson)
O4 - HKU\S-1-5-21-1085031214-1004336348-1606980848-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\computer\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\Guest\Start Menu\Programs\Startup\Shortcut to Spyware Terminator.lnk = C:\Documents and Settings\All Users\Start Menu\Programs\Spyware Terminator [2006/01/02 11:09:16 | 000,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\user\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1085031214-1004336348-1606980848-1003\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-1085031214-1004336348-1606980848-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O15 - HKU\S-1-5-21-1085031214-1004336348-1606980848-1003\..Trusted Domains: microsoft.com ([*.update] http in Trusted sites)
O15 - HKU\S-1-5-21-1085031214-1004336348-1606980848-1003\..Trusted Domains: microsoft.com ([*.update] https in Trusted sites)
O15 - HKU\S-1-5-21-1085031214-1004336348-1606980848-1003\..Trusted Domains: windowsupdate.com ([download] http in Trusted sites)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1316483665031 (WUWebControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 180.181.0.3 180.181.0.4 180.181.127.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F25381B4-F4F7-4B3E-BA51-34E7B2B0E886}: DhcpNameServer = 180.181.0.3 180.181.0.4 180.181.127.4
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/01/02 09:52:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{9bf16e36-54f6-11e0-8c84-0016e6529c17}\Shell\AutoRun\command - "" = H:\wubi.exe --cdmenu
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/04 16:53:33 | 000,585,216 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2012/03/04 16:51:37 | 000,389,024 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\user\Desktop\unhide.exe
[2012/03/04 08:25:54 | 000,000,000 | R--D | C] -- C:\Documents and Settings\user\Start Menu\Programs\Administrative Tools
[2012/03/04 08:20:48 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\user\Desktop\dds.scr
[2012/02/24 15:21:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\Muffin Break
[2012/02/17 23:45:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SpyShelter
[2012/02/17 23:45:42 | 000,000,000 | ---D | C] -- C:\Program Files\SpyShelter Personal Free
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/04 17:13:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/04 16:54:31 | 000,585,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2012/03/04 16:52:14 | 000,389,024 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\user\Desktop\unhide.exe
[2012/03/04 08:48:57 | 000,002,527 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ACDSee for Pentax 2.0.lnk
[2012/03/04 08:21:07 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\user\Desktop\dds.scr
[2012/03/02 18:31:23 | 000,142,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/02 15:09:50 | 001,765,450 | ---- | M] () -- C:\Documents and Settings\user\My Documents\Tas Aboriginal and FT Memorandum of Understanding.pdf
[2012/03/01 15:28:06 | 000,000,195 | ---- | M] () -- C:\Documents and Settings\user\Desktop\rk-proxy.reg
[2012/03/01 14:36:09 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/27 21:06:19 | 000,015,120 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Letter to Basil - offer.odt
[2012/02/26 20:42:59 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/02/24 21:32:38 | 001,563,952 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\user\Desktop\tdsskiller.com.exe
[2012/02/24 21:30:22 | 001,008,092 | ---- | M] () -- C:\Documents and Settings\user\Desktop\iExplore.exe
[2012/02/24 03:23:26 | 000,041,184 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2012/02/24 03:23:21 | 000,201,352 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2012/02/24 03:12:28 | 000,610,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2012/02/24 03:12:16 | 000,337,112 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2012/02/24 03:10:46 | 000,035,672 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2012/02/24 03:10:39 | 000,053,848 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2012/02/24 03:10:25 | 000,095,704 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2012/02/24 03:10:22 | 000,089,048 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2012/02/24 03:10:16 | 000,020,696 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2012/02/24 03:07:33 | 000,024,920 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2012/02/22 09:13:29 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/02/20 13:38:02 | 000,015,872 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/17 23:45:52 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SpyShelter Personal Free.lnk
[2012/02/16 11:26:49 | 001,167,360 | ---- | M] () -- C:\Documents and Settings\user\My Documents\TTTSV.CWB.QJXPXOI
[2012/02/05 19:27:45 | 000,144,090 | ---- | M] () -- C:\Documents and Settings\user\My Documents\SkyMesh Application Form - NBN Second Release Satellite Service.pdf
[2012/02/05 13:07:32 | 000,592,883 | ---- | M] () -- C:\Documents and Settings\user\My Documents\Samsung E3210 User Manual.pdf
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/02 18:31:23 | 000,142,832 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/02 15:09:50 | 001,765,450 | ---- | C] () -- C:\Documents and Settings\user\My Documents\Tas Aboriginal and FT Memorandum of Understanding.pdf
[2012/03/01 15:28:06 | 000,000,195 | ---- | C] () -- C:\Documents and Settings\user\Desktop\rk-proxy.reg
[2012/02/27 18:26:08 | 000,015,120 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Letter to Basil - offer.odt
[2012/02/17 23:45:52 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SpyShelter Personal Free.lnk
[2012/02/17 23:45:50 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\SpyShelterShellExt.dll
[2012/02/17 23:45:48 | 001,740,800 | ---- | C] () -- C:\WINDOWS\System32\Osklauncher.exe
[2012/02/17 23:45:48 | 000,054,784 | ---- | C] () -- C:\WINDOWS\System32\inject_logon_dll.dll
[2012/02/05 19:27:45 | 000,144,090 | ---- | C] () -- C:\Documents and Settings\user\My Documents\SkyMesh Application Form - NBN Second Release Satellite Service.pdf
[2012/02/05 13:07:32 | 000,592,883 | ---- | C] () -- C:\Documents and Settings\user\My Documents\Samsung E3210 User Manual.pdf
[2011/12/19 16:44:33 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LauncherAccess.dt
[2011/12/19 16:42:04 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2011/11/16 18:52:45 | 000,001,078 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\FASTWiz.html
[2011/04/06 08:49:29 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2011/02/17 13:15:38 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ICOA.INI
[2011/02/17 13:15:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QFNONL.ini
[2011/02/17 13:15:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
[2011/02/17 13:15:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QDQICK.ini
[2011/02/03 07:42:05 | 000,015,872 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/31 18:11:30 | 000,001,492 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ss.ini
[2011/01/18 20:41:50 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2011/01/16 00:02:28 | 000,000,084 | ---- | C] () -- C:\WINDOWS\csact.ini

========== Custom Scans ==========


< %TEMP%\smtmp\*.*/s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\user\Desktop\iExplore.exe:SummaryInformation
@Alternate Data Stream - 208 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B4AF47A7
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C43ED645

< End of report >

#6 novice1958

novice1958
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 04 March 2012 - 01:42 AM

Thanks Gringo, have posted the OTL logs above. When my PC boots most of the desktop icons are slow to appear in different stages, where they all used to come up quickly altogether when I wasn't infected. While running OTL, Avast asked me to delete the rootkit, so I did. Then it asked me to bootscan, which I declined because of running OTL. I hope it's an easy one to fix. I really don't know where it came in.

When I run your advised programs, do you want me to disable all the security programs? Do you also want me to disable my firewall (SPF)?

Cheers.

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:12 AM

Posted 04 March 2012 - 02:03 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 novice1958

novice1958
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 04 March 2012 - 10:39 PM

OK, carried out all your instructions to the letter. Had to download and install Recovery Console during the process. Combofix got to the point where it said "Scanning for infected files... This typically doesn't take more than 10 minutes. However, scan times for badly infected machines may easily double."

After about one minute of scanning, the PC's timeclock froze and the PC didn't seem to be doing anything. It's cursor was flashing ok on the next line. At this point the mouse pointer was very jittery and slow if I tried to move it. I let the PC run for another 20 minutes in case Combofix was running.

I restarted the PC and ran Combofix again. This time Avast was disabled so I didn't get any notification about Aruleon like normal. After one minute, the PC's timeclock stopped again but the mouse was able to be moved normally. I let Combofix run (?) for another ten minutes but there was no sign of any PC activity. I couldn't close Combofix and everything else was locked up so I had to restart PC again.

At startup Avast asked if two Combofix functions could be allowed and I did so. I should have written down what they were, but didn't.

Outlook Express wouldn't open from keyboard shortcut but did from START menu. Firefox started ok from keyboard.

Shoud I wait for Avast to detect Aruleon and delete it before carrying out your future instructions? It usually happens with the first couple of minutes.

Cheers.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:12 AM

Posted 04 March 2012 - 10:42 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 novice1958

novice1958
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 05 March 2012 - 05:13 PM

Thanks again Gringo. TDSSKiller found no threats. aswMBR found the Alureon rootkit. I didn't click on Fix MBR as you haven't instructed me to do so. Both logs are below. Should I run aswMBR again and Fix MBR?

Cheers.

08:39:36.0984 0512 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
08:39:38.0984 0512 ============================================================
08:39:38.0984 0512 Current date / time: 2012/03/06 08:39:38.0984
08:39:38.0984 0512 SystemInfo:
08:39:38.0984 0512
08:39:38.0984 0512 OS Version: 5.1.2600 ServicePack: 3.0
08:39:38.0984 0512 Product type: Workstation
08:39:38.0984 0512 ComputerName: USER-7BCF7E5992
08:39:38.0984 0512 UserName: user
08:39:38.0984 0512 Windows directory: C:\WINDOWS
08:39:38.0984 0512 System windows directory: C:\WINDOWS
08:39:38.0984 0512 Processor architecture: Intel x86
08:39:38.0984 0512 Number of processors: 2
08:39:38.0984 0512 Page size: 0x1000
08:39:38.0984 0512 Boot type: Normal boot
08:39:38.0984 0512 ============================================================
08:39:40.0265 0512 Drive \Device\Harddisk0\DR0 - Size: 0x12A1E0DE00 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:39:40.0265 0512 \Device\Harddisk0\DR0:
08:39:40.0265 0512 MBR used
08:39:40.0265 0512 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950A5C1
08:39:40.0312 0512 Initialize success
08:39:40.0312 0512 ============================================================
08:41:34.0953 2368 ============================================================
08:41:34.0953 2368 Scan started
08:41:34.0953 2368 Mode: Manual;
08:41:34.0953 2368 ============================================================
08:41:35.0140 2368 Aavmker4 (fdba5bb4c8171cda00b2233d5389ee5f) C:\WINDOWS\system32\drivers\Aavmker4.sys
08:41:35.0140 2368 Aavmker4 - ok
08:41:35.0156 2368 Abiosdsk - ok
08:41:35.0171 2368 abp480n5 - ok
08:41:35.0218 2368 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:41:35.0218 2368 ACPI - ok
08:41:35.0250 2368 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
08:41:35.0265 2368 ACPIEC - ok
08:41:35.0265 2368 adpu160m - ok
08:41:35.0312 2368 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:41:35.0312 2368 aec - ok
08:41:35.0343 2368 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
08:41:35.0343 2368 AFD - ok
08:41:35.0343 2368 Aha154x - ok
08:41:35.0359 2368 aic78u2 - ok
08:41:35.0375 2368 aic78xx - ok
08:41:35.0390 2368 AliIde - ok
08:41:35.0453 2368 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
08:41:35.0468 2368 Ambfilt - ok
08:41:35.0484 2368 amsint - ok
08:41:35.0515 2368 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
08:41:35.0515 2368 Arp1394 - ok
08:41:35.0515 2368 asc - ok
08:41:35.0531 2368 asc3350p - ok
08:41:35.0531 2368 asc3550 - ok
08:41:35.0562 2368 aswFsBlk (581b82df5dbcc1dda6b775fac0d92472) C:\WINDOWS\system32\drivers\aswFsBlk.sys
08:41:35.0562 2368 aswFsBlk - ok
08:41:35.0562 2368 aswMon2 (4310e0977b48ec9bc5cca6931f806e6d) C:\WINDOWS\system32\drivers\aswMon2.sys
08:41:35.0578 2368 aswMon2 - ok
08:41:35.0593 2368 aswRdr (0b44ee90b3db93582b260a80b28b7ffd) C:\WINDOWS\system32\drivers\aswRdr.sys
08:41:35.0593 2368 aswRdr - ok
08:41:35.0640 2368 aswSnx (ca9601cd277a1e510b80422a40240a95) C:\WINDOWS\system32\drivers\aswSnx.sys
08:41:35.0640 2368 aswSnx - ok
08:41:35.0671 2368 aswSP (05ea22dde5ca7ee3a865046aff2f0229) C:\WINDOWS\system32\drivers\aswSP.sys
08:41:35.0671 2368 aswSP - ok
08:41:35.0687 2368 aswTdi (3ac73a9e7378848d1bde174b4bb39212) C:\WINDOWS\system32\drivers\aswTdi.sys
08:41:35.0687 2368 aswTdi - ok
08:41:35.0703 2368 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:41:35.0703 2368 AsyncMac - ok
08:41:35.0703 2368 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:41:35.0718 2368 atapi - ok
08:41:35.0718 2368 Atdisk - ok
08:41:35.0734 2368 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:41:35.0734 2368 Atmarpc - ok
08:41:35.0781 2368 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:41:35.0781 2368 audstub - ok
08:41:35.0812 2368 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:41:35.0812 2368 Beep - ok
08:41:35.0859 2368 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:41:35.0859 2368 cbidf2k - ok
08:41:35.0906 2368 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
08:41:35.0906 2368 CCDECODE - ok
08:41:35.0937 2368 cd20xrnt - ok
08:41:35.0984 2368 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:41:35.0984 2368 Cdaudio - ok
08:41:36.0000 2368 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:41:36.0000 2368 Cdfs - ok
08:41:36.0015 2368 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:41:36.0015 2368 Cdrom - ok
08:41:36.0031 2368 cerc6 - ok
08:41:36.0031 2368 Changer - ok
08:41:36.0062 2368 CmdIde - ok
08:41:36.0078 2368 Cpqarray - ok
08:41:36.0093 2368 dac2w2k - ok
08:41:36.0093 2368 dac960nt - ok
08:41:36.0125 2368 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
08:41:36.0125 2368 Disk - ok
08:41:36.0187 2368 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:41:36.0187 2368 dmboot - ok
08:41:36.0234 2368 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:41:36.0234 2368 dmio - ok
08:41:36.0265 2368 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:41:36.0265 2368 dmload - ok
08:41:36.0296 2368 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:41:36.0296 2368 DMusic - ok
08:41:36.0312 2368 dpti2o - ok
08:41:36.0328 2368 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:41:36.0328 2368 drmkaud - ok
08:41:36.0359 2368 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:41:36.0359 2368 Fastfat - ok
08:41:36.0375 2368 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
08:41:36.0375 2368 Fdc - ok
08:41:36.0390 2368 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:41:36.0390 2368 Fips - ok
08:41:36.0406 2368 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
08:41:36.0406 2368 Flpydisk - ok
08:41:36.0453 2368 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
08:41:36.0453 2368 FltMgr - ok
08:41:36.0468 2368 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:41:36.0468 2368 Fs_Rec - ok
08:41:36.0484 2368 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:41:36.0484 2368 Ftdisk - ok
08:41:36.0484 2368 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:41:36.0500 2368 Gpc - ok
08:41:36.0500 2368 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
08:41:36.0515 2368 HDAudBus - ok
08:41:36.0546 2368 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:41:36.0546 2368 hidusb - ok
08:41:36.0562 2368 hpn - ok
08:41:36.0593 2368 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
08:41:36.0593 2368 HPZid412 - ok
08:41:36.0609 2368 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
08:41:36.0609 2368 HPZipr12 - ok
08:41:36.0640 2368 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
08:41:36.0640 2368 HPZius12 - ok
08:41:36.0687 2368 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
08:41:36.0687 2368 HTTP - ok
08:41:36.0703 2368 i2omgmt - ok
08:41:36.0718 2368 i2omp - ok
08:41:36.0750 2368 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
08:41:36.0750 2368 i8042prt - ok
08:41:36.0937 2368 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
08:41:36.0968 2368 ialm - ok
08:41:37.0000 2368 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:41:37.0000 2368 Imapi - ok
08:41:37.0015 2368 ini910u - ok
08:41:37.0203 2368 IntcAzAudAddService (a109fe3ca1ee4e92292b349de1b32f7b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
08:41:37.0250 2368 IntcAzAudAddService - ok
08:41:37.0281 2368 IntelIde - ok
08:41:37.0296 2368 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
08:41:37.0296 2368 intelppm - ok
08:41:37.0328 2368 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
08:41:37.0328 2368 Ip6Fw - ok
08:41:37.0375 2368 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:41:37.0390 2368 IpFilterDriver - ok
08:41:37.0406 2368 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:41:37.0406 2368 IpInIp - ok
08:41:37.0437 2368 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:41:37.0437 2368 IpNat - ok
08:41:37.0468 2368 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:41:37.0468 2368 IPSec - ok
08:41:37.0515 2368 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:41:37.0515 2368 IRENUM - ok
08:41:37.0546 2368 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:41:37.0546 2368 isapnp - ok
08:41:37.0562 2368 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:41:37.0562 2368 Kbdclass - ok
08:41:37.0593 2368 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
08:41:37.0593 2368 kbdhid - ok
08:41:37.0640 2368 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
08:41:37.0640 2368 kmixer - ok
08:41:37.0671 2368 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
08:41:37.0671 2368 KSecDD - ok
08:41:37.0687 2368 lbrtfdc - ok
08:41:37.0703 2368 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:41:37.0703 2368 mnmdd - ok
08:41:37.0734 2368 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
08:41:37.0734 2368 Modem - ok
08:41:37.0796 2368 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
08:41:37.0812 2368 Monfilt - ok
08:41:37.0828 2368 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:41:37.0828 2368 Mouclass - ok
08:41:37.0875 2368 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
08:41:37.0875 2368 mouhid - ok
08:41:37.0890 2368 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
08:41:37.0890 2368 MountMgr - ok
08:41:37.0890 2368 mraid35x - ok
08:41:37.0921 2368 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:41:37.0921 2368 MRxDAV - ok
08:41:37.0937 2368 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:41:37.0953 2368 MRxSmb - ok
08:41:37.0968 2368 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
08:41:37.0968 2368 Msfs - ok
08:41:38.0000 2368 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:41:38.0000 2368 MSKSSRV - ok
08:41:38.0046 2368 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:41:38.0046 2368 MSPCLOCK - ok
08:41:38.0062 2368 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
08:41:38.0062 2368 MSPQM - ok
08:41:38.0109 2368 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:41:38.0109 2368 mssmbios - ok
08:41:38.0156 2368 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
08:41:38.0156 2368 MSTEE - ok
08:41:38.0187 2368 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
08:41:38.0187 2368 Mup - ok
08:41:38.0218 2368 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
08:41:38.0218 2368 NABTSFEC - ok
08:41:38.0234 2368 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
08:41:38.0234 2368 NDIS - ok
08:41:38.0265 2368 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
08:41:38.0265 2368 NdisIP - ok
08:41:38.0281 2368 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:41:38.0281 2368 NdisTapi - ok
08:41:38.0312 2368 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:41:38.0328 2368 Ndisuio - ok
08:41:38.0328 2368 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:41:38.0328 2368 NdisWan - ok
08:41:38.0359 2368 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
08:41:38.0359 2368 NDProxy - ok
08:41:38.0375 2368 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:41:38.0375 2368 NetBIOS - ok
08:41:38.0406 2368 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:41:38.0406 2368 NetBT - ok
08:41:38.0468 2368 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
08:41:38.0468 2368 NIC1394 - ok
08:41:38.0484 2368 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
08:41:38.0484 2368 Npfs - ok
08:41:38.0531 2368 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
08:41:38.0531 2368 Ntfs - ok
08:41:38.0562 2368 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:41:38.0578 2368 Null - ok
08:41:38.0609 2368 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:41:38.0609 2368 NwlnkFlt - ok
08:41:38.0640 2368 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:41:38.0640 2368 NwlnkFwd - ok
08:41:38.0671 2368 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
08:41:38.0671 2368 ohci1394 - ok
08:41:38.0703 2368 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
08:41:38.0703 2368 Parport - ok
08:41:38.0703 2368 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
08:41:38.0718 2368 PartMgr - ok
08:41:38.0734 2368 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:41:38.0734 2368 ParVdm - ok
08:41:38.0750 2368 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
08:41:38.0750 2368 PCI - ok
08:41:38.0765 2368 PCIDump - ok
08:41:38.0781 2368 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
08:41:38.0781 2368 PCIIde - ok
08:41:38.0812 2368 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
08:41:38.0812 2368 Pcmcia - ok
08:41:38.0812 2368 PDCOMP - ok
08:41:38.0828 2368 PDFRAME - ok
08:41:38.0843 2368 PDRELI - ok
08:41:38.0843 2368 PDRFRAME - ok
08:41:38.0859 2368 perc2 - ok
08:41:38.0875 2368 perc2hib - ok
08:41:38.0921 2368 pfc (5903fa75200807ad739286bbf40c4904) C:\WINDOWS\system32\drivers\pfc.sys
08:41:38.0921 2368 pfc - ok
08:41:38.0953 2368 Point32 (2e3394c8ebf31a9b4f0a531eb5cc7bc7) C:\WINDOWS\system32\DRIVERS\point32.sys
08:41:38.0968 2368 Point32 - ok
08:41:38.0984 2368 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:41:38.0984 2368 PptpMiniport - ok
08:41:39.0000 2368 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
08:41:39.0000 2368 PSched - ok
08:41:39.0031 2368 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:41:39.0031 2368 Ptilink - ok
08:41:39.0046 2368 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys
08:41:39.0046 2368 PxHelp20 - ok
08:41:39.0062 2368 ql1080 - ok
08:41:39.0062 2368 Ql10wnt - ok
08:41:39.0078 2368 ql12160 - ok
08:41:39.0093 2368 ql1240 - ok
08:41:39.0093 2368 ql1280 - ok
08:41:39.0109 2368 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:41:39.0109 2368 RasAcd - ok
08:41:39.0140 2368 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:41:39.0140 2368 Rasl2tp - ok
08:41:39.0171 2368 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:41:39.0171 2368 RasPppoe - ok
08:41:39.0187 2368 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:41:39.0187 2368 Raspti - ok
08:41:39.0218 2368 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:41:39.0218 2368 Rdbss - ok
08:41:39.0234 2368 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:41:39.0234 2368 RDPCDD - ok
08:41:39.0281 2368 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
08:41:39.0281 2368 rdpdr - ok
08:41:39.0312 2368 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
08:41:39.0328 2368 RDPWD - ok
08:41:39.0343 2368 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:41:39.0343 2368 redbook - ok
08:41:39.0390 2368 s1039bus (d0eedc88876b20d42157cdcca3e647f3) C:\WINDOWS\system32\DRIVERS\s1039bus.sys
08:41:39.0390 2368 s1039bus - ok
08:41:39.0421 2368 s1039mdfl (7b35091a7bb597c86262c589b0b57d06) C:\WINDOWS\system32\DRIVERS\s1039mdfl.sys
08:41:39.0421 2368 s1039mdfl - ok
08:41:39.0453 2368 s1039mdm (4cb1ab13c9813cbf3e4c6406f8043ec2) C:\WINDOWS\system32\DRIVERS\s1039mdm.sys
08:41:39.0453 2368 s1039mdm - ok
08:41:39.0468 2368 s1039mgmt (2649ca09585a7531126dcc116ad1f88c) C:\WINDOWS\system32\DRIVERS\s1039mgmt.sys
08:41:39.0484 2368 s1039mgmt - ok
08:41:39.0515 2368 s1039nd5 (6d3f549efd6daedd7d12f3de2175053f) C:\WINDOWS\system32\DRIVERS\s1039nd5.sys
08:41:39.0515 2368 s1039nd5 - ok
08:41:39.0546 2368 s1039obex (305e3e3aca0037af2e2c1b50a383c91b) C:\WINDOWS\system32\DRIVERS\s1039obex.sys
08:41:39.0546 2368 s1039obex - ok
08:41:39.0578 2368 s1039unic (7dd02a58277c84c043442561589914f4) C:\WINDOWS\system32\DRIVERS\s1039unic.sys
08:41:39.0578 2368 s1039unic - ok
08:41:39.0687 2368 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
08:41:39.0703 2368 SASDIFSV - ok
08:41:39.0734 2368 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
08:41:39.0734 2368 SASKUTIL - ok
08:41:39.0796 2368 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:41:39.0796 2368 Secdrv - ok
08:41:39.0843 2368 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
08:41:39.0843 2368 serenum - ok
08:41:39.0859 2368 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
08:41:39.0859 2368 Serial - ok
08:41:39.0890 2368 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:41:39.0890 2368 Sfloppy - ok
08:41:39.0906 2368 Simbad - ok
08:41:39.0968 2368 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
08:41:39.0968 2368 SLIP - ok
08:41:39.0984 2368 Sparrow - ok
08:41:40.0031 2368 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
08:41:40.0031 2368 splitter - ok
08:41:40.0078 2368 Spyshelter (a5fb8e54040224b05596c4e20ef281e4) C:\Program Files\SpyShelter Personal Free\SpyShelter.sys
08:41:40.0078 2368 Spyshelter - ok
08:41:40.0125 2368 sp_rsdrv2 (ccd6e6c387e3efa3ba5fe0e7883821c1) C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
08:41:40.0125 2368 sp_rsdrv2 - ok
08:41:40.0171 2368 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
08:41:40.0171 2368 sr - ok
08:41:40.0234 2368 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
08:41:40.0234 2368 Srv - ok
08:41:40.0281 2368 sscdbus (d6870895fe46a464a19141440eb6cc1e) C:\WINDOWS\system32\DRIVERS\sscdbus.sys
08:41:40.0281 2368 sscdbus - ok
08:41:40.0343 2368 sscdmdfl (0fe167362e4689b716cdc8d93adedda8) C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
08:41:40.0343 2368 sscdmdfl - ok
08:41:40.0390 2368 sscdmdm (55a15707e32b6709242ad127e62ca55a) C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
08:41:40.0406 2368 sscdmdm - ok
08:41:40.0453 2368 StarOpen (306521935042fc0a6988d528643619b3) C:\WINDOWS\system32\drivers\StarOpen.sys
08:41:40.0453 2368 StarOpen - ok
08:41:40.0484 2368 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
08:41:40.0484 2368 streamip - ok
08:41:40.0515 2368 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:41:40.0515 2368 swenum - ok
08:41:40.0546 2368 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
08:41:40.0546 2368 swmidi - ok
08:41:40.0562 2368 symc810 - ok
08:41:40.0578 2368 symc8xx - ok
08:41:40.0593 2368 sym_hi - ok
08:41:40.0593 2368 sym_u3 - ok
08:41:40.0640 2368 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
08:41:40.0640 2368 sysaudio - ok
08:41:40.0671 2368 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:41:40.0671 2368 Tcpip - ok
08:41:40.0718 2368 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:41:40.0734 2368 TDPIPE - ok
08:41:40.0750 2368 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
08:41:40.0750 2368 TDTCP - ok
08:41:40.0781 2368 Teefer (04906f0072903bd0280791a562596b95) C:\WINDOWS\system32\Drivers\Teefer.sys
08:41:40.0781 2368 Teefer - ok
08:41:40.0796 2368 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:41:40.0812 2368 TermDD - ok
08:41:40.0828 2368 TosIde - ok
08:41:40.0890 2368 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
08:41:40.0890 2368 Udfs - ok
08:41:40.0906 2368 ultra - ok
08:41:40.0953 2368 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
08:41:40.0953 2368 Update - ok
08:41:41.0000 2368 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
08:41:41.0000 2368 usbaudio - ok
08:41:41.0015 2368 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
08:41:41.0031 2368 usbccgp - ok
08:41:41.0062 2368 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:41:41.0062 2368 usbehci - ok
08:41:41.0078 2368 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:41:41.0078 2368 usbhub - ok
08:41:41.0109 2368 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
08:41:41.0109 2368 usbprint - ok
08:41:41.0140 2368 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
08:41:41.0140 2368 usbscan - ok
08:41:41.0187 2368 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:41:41.0203 2368 usbstor - ok
08:41:41.0234 2368 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
08:41:41.0234 2368 usbuhci - ok
08:41:41.0296 2368 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
08:41:41.0296 2368 usbvideo - ok
08:41:41.0328 2368 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
08:41:41.0328 2368 VgaSave - ok
08:41:41.0343 2368 ViaIde - ok
08:41:41.0375 2368 vmmouse (2e11190f37f0499cca53cc1f92c5a3f7) C:\WINDOWS\system32\DRIVERS\vmmouse.sys
08:41:41.0375 2368 vmmouse - ok
08:41:41.0437 2368 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
08:41:41.0437 2368 VolSnap - ok
08:41:41.0453 2368 vsdatant - ok
08:41:41.0468 2368 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:41:41.0468 2368 Wanarp - ok
08:41:41.0484 2368 WDICA - ok
08:41:41.0531 2368 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
08:41:41.0531 2368 wdmaud - ok
08:41:41.0546 2368 wg3n (038ad5561af23bc9bba3d624daf311f0) C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys
08:41:41.0562 2368 wg3n - ok
08:41:41.0562 2368 wg4n (266aa247c92f5d202a9cc633142ca425) C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys
08:41:41.0562 2368 wg4n - ok
08:41:41.0578 2368 wg5n (c2a06a1673391203c023de8bc60927bc) C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys
08:41:41.0578 2368 wg5n - ok
08:41:41.0593 2368 wg6n (2e94e4ef8d985be291cb4573c5dfca35) C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys
08:41:41.0593 2368 wg6n - ok
08:41:41.0687 2368 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
08:41:41.0687 2368 WpdUsb - ok
08:41:41.0703 2368 wpsdrvnt (9eb103f5652c9253bad58350aede476d) C:\WINDOWS\system32\drivers\wpsdrvnt.sys
08:41:41.0703 2368 wpsdrvnt - ok
08:41:41.0750 2368 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
08:41:41.0750 2368 WS2IFSL - ok
08:41:41.0812 2368 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
08:41:41.0812 2368 WSTCODEC - ok
08:41:41.0843 2368 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
08:41:41.0843 2368 WudfPf - ok
08:41:41.0890 2368 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
08:41:41.0890 2368 WudfRd - ok
08:41:41.0968 2368 yukonwxp (6c7846b82598d4fdd8868d8edb945205) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
08:41:41.0968 2368 yukonwxp - ok
08:41:42.0000 2368 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
08:41:42.0109 2368 \Device\Harddisk0\DR0 - ok
08:41:42.0109 2368 Boot (0x1200) (fca780f27b24d089afd1030bd9c7b77d) \Device\Harddisk0\DR0\Partition0
08:41:42.0109 2368 \Device\Harddisk0\DR0\Partition0 - ok
08:41:42.0125 2368 ============================================================
08:41:42.0125 2368 Scan finished
08:41:42.0125 2368 ============================================================
08:41:42.0125 2448 Detected object count: 0
08:41:42.0125 2448 Actual detected object count: 0
08:49:08.0328 1712 Deinitialize success

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-06 08:59:12
-----------------------------
08:59:12.546 OS Version: Windows 5.1.2600 Service Pack 3
08:59:12.546 Number of processors: 2 586 0x409
08:59:12.546 ComputerName: USER-7BCF7E5992 UserName: user
08:59:13.031 Initialize success
08:59:17.218 AVAST engine defs: 12030501
09:00:11.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
09:00:11.796 Disk 0 Vendor: WDC_WD800JD-00MSA1 10.01E01 Size: 76318MB BusType: 3
09:00:11.828 Disk 0 MBR read successfully
09:00:11.828 Disk 0 MBR scan
09:00:11.875 Disk 0 Windows XP default MBR code
09:00:11.890 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63
09:00:11.890 Disk 0 Partition 2 00 17 Hidd HPFS/NTFS NTFS 9 MB offset 156280320
09:00:11.921 Disk 0 Partition 2 **INFECTED** MBR:Alureon-K [Rtk]
09:00:11.921 Disk 0 scanning sectors +156299359
09:00:11.968 Disk 0 scanning C:\WINDOWS\system32\drivers
09:00:22.859 Service scanning
09:00:31.843 Service Spyshelter C:\Program Files\SpyShelter Personal Free\SpyShelter.sys **LOCKED** 32
09:00:35.562 Modules scanning
09:00:39.125 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
09:00:40.046 Module: C:\WINDOWS\system32\ntdll.dll **SUSPICIOUS**
09:00:40.062 Disk 0 trace - called modules:
09:00:40.078 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
09:00:40.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b0dab8]
09:00:40.078 3 CLASSPNP.SYS[f7627fd7] -> nt!IofCallDriver -> \Device\0000006e[0x86b7c9e8]
09:00:40.078 5 ACPI.sys[f749e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86b0e940]
09:00:40.437 AVAST engine scan C:\WINDOWS
09:00:45.859 AVAST engine scan C:\WINDOWS\system32
09:02:32.078 AVAST engine scan C:\WINDOWS\system32\drivers
09:02:44.078 AVAST engine scan C:\Documents and Settings\user
09:05:29.781 AVAST engine scan C:\Documents and Settings\All Users
09:05:59.000 Scan finished successfully
09:06:38.953 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user\Desktop\MBR.dat"
09:06:38.968 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:12 AM

Posted 05 March 2012 - 08:10 PM

For x86 (x32) bit systems please download Listparts

Run the tool, click Scan and post the log (Result.txt) it makes.


Note: The tool currently on Italian and English language operating systems gives a full log.

Edited by gringo_pr, 05 March 2012 - 08:11 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 novice1958

novice1958
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 05 March 2012 - 10:13 PM

Hi Gringo,
aswMBR found the location of the Alureon F rootkit. I didn't let the program fix it because you didn't instruct me to do so.

Can you please answer the question I asked in my previous post? "Should I re-run aswMBR again and click 'Fix MBR'?"

Cheers

#13 novice1958

novice1958
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 05 March 2012 - 10:28 PM

Here is ListParts results log.

ListParts by Farbar Version: 06-03-2012
Ran by user (administrator) on 06-03-2012 at 14:23:53
Windows XP (X86)
Running From: C:\Documents and Settings\user\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 50%
Total physical RAM: 1015.48 MB
Available physical RAM: 500.44 MB
Total Pagefile: 2442.22 MB
Available Pagefile: 1803.04 MB
Total Virtual: 2047.88 MB
Available Virtual: 2010.5 MB

======================= Partitions =========================

2 Drive c: () (Fixed) (Total:74.52 GB) (Free:30.95 GB) NTFS ==>[Drive with boot components (Windows XP)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 75 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 75 GB 32 KB
Partition 2 Unknown 9 MB 75 GB
======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 75 GB Healthy System (partition with boot components)
======================================================================================================

Disk: 0
Partition 2
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.
======================================================================================================

****** End Of Log ******

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:12 AM

Posted 06 March 2012 - 09:21 AM

Greetings

I need you to make a bootable usb and to make a screenshot for me - follow the instructions below to do this

How to create a bootable Puppy USB Drive

  • Download and save a copy of the latest Puppy ISO file
  • Download and save a copy of Unetbootin for Windows.
  • Insert an empty formatted USB drive into a USB port on the computer that's being used to create the bootable USB.
  • Launch Unetbootin ....
  • Ensure that Disk Image is selected.
  • Using the browse button ... browse to and select the Puppy ISO file.
  • Ensure that Type: is set to USB Drive and that the Drive: letter corresponds to the USB drive.
  • Click OK
Unetbootin will now copy the Puppy files to the USB and make it a bootable device.

Next

You need to change the boot order of the computer to boot from a USB drive ....

  • Read HERE for instructions how to do this.

Now boot into Puppylinux

when you get to the desktop Click on each of the drive items found in the bottom left corner to mount them (when mounted they will have a red cross next to them)

Next - Launch GParted which is found at Menu > System > GParted partition manager,
Click to select All Drives then click Okay
I need you to take a screenshot of the window that opens up - to do this follow these instructions

To take a screenshot in Puppy ....

With the GParted window open ...

  • Click menu > Graphic > mtPaint-snapshot screen capture
  • A small window will open ....

    • Click Capture Now
    • Click OK
  • The mtPaint program will open ....
    • Click File > Save
    • Double click on ../
    • Double click on mnt/
    • Double click on sdb1/
    • Set File Format to JPEG
    • Enter screenshot1 into the text box
    • Click OK

This will save a file screenshot1.jpeg into the USB drive, paste or attach this to your next post

Next

  • Click menu > shutdown > power off computer
  • If prompted to save the session click on No

Puppy will now close down.

remove the usb and save it - we will use it again - boot back into windows and send me the screen capture

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 novice1958

novice1958
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 06 March 2012 - 04:46 PM

Hi Gringo,
You still haven't answered a question I asked in two of my recent posts.

aswMBR found the location of the Alureon F rootkit. I didn't let the program fix it because you didn't instruct me to do so.

"Should I re-run aswMBR again and click 'Fix MBR'?"

Cheers




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users