Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacked issues


  • This topic is locked This topic is locked
48 replies to this topic

#1 YesImOtto

YesImOtto

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 15 March 2012 - 09:01 PM

Previous link : http://www.bleepingcomputer.com/forums/topic446356.html/page__gopid__2632786#entry2632786

This is the aswMBR log
---------------------------------------------------
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-16 09:34:43
-----------------------------
09:34:43.837 OS Version: Windows 6.1.7600
09:34:43.837 Number of processors: 4 586 0x2505
09:34:43.838 ComputerName: TOSHIBAL650 UserName:
09:34:45.424 Initialize success
09:34:45.905 AVAST engine defs: 12030600
09:35:03.677 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
09:35:03.683 Disk 0 Vendor: TOSHIBA_ GJ00 Size: 610480MB BusType: 3
09:35:03.704 Disk 0 MBR read successfully
09:35:03.710 Disk 0 MBR scan
09:35:03.842 Disk 0 Windows VISTA default MBR code
09:35:03.868 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
09:35:03.921 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 597008 MB offset 3074048
09:35:03.952 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 11971 MB offset 1225746432
09:35:03.982 Disk 0 scanning sectors +1250263040
09:35:04.117 Disk 0 scanning C:\windows\system32\drivers
09:35:15.955 Service scanning
09:35:53.008 Modules scanning
09:36:09.058 Scan finished successfully
09:36:32.007 Disk 0 MBR has been saved successfully to "C:\Users\(my name)\Documents\Virus Removal\MBR.dat"
09:36:32.013 The log file has been saved successfully to "C:\Users\(my name)\Documents\Virus Removal\aswMBR.txt"


===============================================================================DDS LOG=========

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.1.0
Run by (my name) at 9:55:19 on 2012-03-16
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.3063.1117 [GMT 8:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\atieclxx.exe
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\windows\system32\PnkBstrA.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Messenger Plus!\PlusService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\windows\system32\UI0Detect.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\System32\svchost.exe -k WerSvcGroup
C:\windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uDefault_Page_URL = hxxp://toshiba.msn.com
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mif5ba~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - c:\program files\toshiba\toshiba media controller plug-in\TOSHIBAMediaControllerIE.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [Facebook Update] "c:\users\(my name)\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [OpenDNS Updater] "c:\program files\opendns updater\OpenDNSUpdater.exe" /autostart
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [<NO NAME>]
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
mRun: [cAudioFilterAgent] c:\program files\conexant\caudiofilteragent\cAudioFilterAgent.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [TWebCamera] "c:\program files\toshiba\toshiba web camera application\TWebCamera.exe" autorun
mRun: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe
mRun: [ToshibaServiceStation] c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe /hide:60
mRun: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
mRun: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
mRun: [TosVolRegulator] c:\program files\toshiba\tosvolregulator\TosVolRegulator.exe
mRun: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe
mRun: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [PlusService] c:\program files\messenger plus!\PlusService.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
TCP: DhcpNameServer = 10.1.1.1 192.168.0.1
TCP: Interfaces\{C5BB9B8D-BE4A-4489-920B-8B4137D4E70B} : NameServer = 208.67.220.220,208.67.222.222
TCP: Interfaces\{C5BB9B8D-BE4A-4489-920B-8B4137D4E70B} : DhcpNameServer = 10.1.1.1 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.0.6\ViProtocol.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\(my name)\appdata\roaming\mozilla\firefox\profiles\yi4f1yka.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.biblegateway.com/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B3d7e99cd-7a93-457f-b24c-2285900733a4%7D&mid=832ccfdf427b47d69f47d16f2a607d06-0a6cb52d460eacdef289817be562a26ff1f603a4&ds=AVG&v=9.0.0.18.1&lang=en&pr=fr&d=2011-10-19%2011%3A11%3A00&sap=ku&q=
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\progra~1\mif5ba~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\mif5ba~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\(my name)\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\(my name)\appdata\roaming\mozilla\firefox\profiles\yi4f1yka.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-3-16 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-3-16 337880]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-3-15 172032]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-3-16 20696]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-3-16 57688]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-3-16 44768]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2010-1-29 185712]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-11 46448]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2010-3-18 189808]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-6-20 12920]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-10-18 2320920]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\10.0.6\ToolbarUpdater.exe [2012-2-2 909152]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2010-3-15 5340160]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-3-15 152064]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 CnxtHdmiAudService;Conexant UAA HDMI Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDMI32.sys [2010-3-6 516152]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2010-10-18 7680]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2010-2-23 66600]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2010-10-18 24064]
R3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2010-10-18 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2010-2-6 111960]
R3 TPCHSrv;TPCH Service;c:\program files\toshiba\tphm\TPCHSrv.exe [2010-2-24 685424]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-3-16 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-13 1025352]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-3-16 136176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-10-18 182304]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-8-6 1343400]
.
=============== Created Last 30 ================
.
2012-03-16 01:30:21 -------- d-----w- c:\users\(my name)\appdata\local\Google
2012-03-16 01:30:16 44376 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-03-16 01:30:15 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-16 01:30:12 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-16 01:29:44 41184 ----a-w- c:\windows\avastSS.scr
2012-03-16 01:29:14 -------- d-----w- c:\programdata\AVAST Software
2012-03-16 01:29:14 -------- d-----w- c:\program files\AVAST Software
2012-02-20 04:23:53 -------- d-----w- c:\program files\Eidos Interactive
2012-02-18 02:31:23 -------- d-----w- c:\program files\SpywareBlaster
.
==================== Find3M ====================
.
2011-02-20 23:26:24 2290745340 ----a-w- c:\program files\MSSetupv95.exe
.
============= FINISH: 9:57:31.28 ===============



=======================================================================ATTACH LOG======================================================


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 10/01/2011 5:52:47 PM
System Uptime: 16/03/2012 7:35:41 AM (2 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: Intel® Core™ i3 CPU M 370 @ 2.40GHz | CPU | 1847/1066mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 583 GiB total, 512.159 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP65: 4/01/2012 8:51:27 AM - Scheduled Checkpoint
RP66: 28/01/2012 3:21:46 PM - Scheduled Checkpoint
RP67: 7/02/2012 3:40:20 PM - Scheduled Checkpoint
RP69: 9/02/2012 3:27:09 PM - Removed Battlefield 2: Deluxe Edition
RP70: 28/02/2012 3:22:41 PM - Scheduled Checkpoint
RP71: 16/03/2012 9:29:01 AM - avast! Free Antivirus Setup
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.5.0
Amazon Kindle For PC v1.1
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
ATI Catalyst Install Manager
avast! Free Antivirus
AVG 2012
Bejeweled 2 Deluxe
BlueJ 3.0.5
Bluetooth Stack for Windows by Toshiba
Broadcom 802.11 Network Adapter
Build-a-lot 2
Business Contact Manager for Outlook 2007 SP2
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Chuzzle Deluxe
Combined Community Codec Pack 2010-10-10
Commando
Conexant Audio Driver For AMD HDMI Codec
Conexant HD Audio
ConTEXT v0.98.6
Counter-Strike
Definition update for Microsoft Office 2010 (KB982726)
Diablo II
DVD Flick 1.3.0.7
ESET Online Scanner v3
Facebook Video Calling 1.1.1.1
FATE
GOM Player
Google Update Helper
Hero Editor V0.96
Heroes of Might and Magic II
Heroes of Might and Magic®
Heroes of Might and Magic® III
Heroes of Might and Magic® IV
Intel® Management Engine Components
Intel® Rapid Storage Technology
iPod for Windows 2006-03-23
iTunes
Java Auto Updater
Java™ 6 Update 26
Java™ 7 Update 1
Java™ SE Development Kit 7
Jewel Quest - Heritage
Junk Mail filter update
LSI V92 MOH Application
Malwarebytes' Anti-Malware
MapleStory
Messenger Plus! 5
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Small Business Connectivity Components
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 8.0 (x86 en-US)
MSVCRT
Nexon Game Manager
Norton Internet Security
OpenDNS Updater 2.2.1
Pando Media Booster
Plants vs. Zombies
PlayReady PC Runtime x86
Polar Bowler
PunkBuster Services
QuickTime
Realtek USB 2.0 Card Reader
Red Alert Windows 95
Security Update for Microsoft InfoPath 2010 (KB2510065)
Security Update for Microsoft Office 2010 (KB2289078)
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Skype Toolbars
Skype™ 4.2
SpywareBlaster 4.6
StarCraft II
Steam
SUPERAntiSpyware
Synaptics Pointing Device Driver
TOSHIBA Assist
TOSHIBA Bulletin Board
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA eco Utility
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
TOSHIBA Media Controller
TOSHIBA Media Controller Plug-in
TOSHIBA PC Health Monitor
TOSHIBA Recovery Media Creator
TOSHIBA ReelTime
TOSHIBA Service Station
TOSHIBA Software Modem
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
Update for Microsoft Office 2010 (KB2202188)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2523113)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Outlook Social Connector (KB2289116)
Virtual Villagers 4 - The Tree of Life
Wheel of Fortune 2
WildTangent Games
WildTangent ORB Game Console
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
WinRAR archiver
Zuma's Revenge
.
==== Event Viewer Messages From Past Week ========
.
9/03/2012 7:21:27 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
16/03/2012 9:39:09 AM, Error: Service Control Manager [7034] - The Google Update Service (gupdate) service terminated unexpectedly. It has done this 1 time(s).
15/03/2012 9:17:09 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
15/03/2012 9:17:09 PM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 17 March 2012 - 09:20 AM

Still need help

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:14 AM

Posted 18 March 2012 - 07:33 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#4 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 18 March 2012 - 07:51 PM

Yes I am here!

May I also add, m0le, that I have 2 weird rootkits. Here is the topic

http://www.bleepingcomputer.com/forums/topic446580.html/page__gopid__2635904#entry2635904

It may be like what boopme said, two AVs seeing each other as threat/rootkits.

Ok, I am here, waiting for your help! :)

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:14 AM

Posted 18 March 2012 - 08:26 PM

Your aswMBR log shows a hidden, malicious partition - as boopme rightly points out:

09:35:03.952 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 11971 MB offset 1225746432

To remove this we need to boot the system using a Linux operating system. This is a bit more complicated than the usual automatic progrms we use so please check with me if you are unsure of what to do.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Download tdl_fix.sh and save it to the xPUD flash drive.
  • Plug the flashdrive in and boot into xPUD then click the File tab.
  • Press File
  • Expand mnt
  • Click on the folder under mnt that represents your USB drive (sdb1 ?)
  • You should see the tdl_fix.sh file in the main window.
  • Select Tool from the Menu
  • Choose Open Terminal
  • Type bash tdl_fix.sh then press Enter.
  • Read the warning then type y and press Enter to continue.
  • Type sda then press Enter when prompted.
  • You will be shown a list of partitions to choose marking active.
  • Type 1 then press Enter.
  • If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 2 to select partition 2 then press Enter.
  • When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
  • The script will complete and prompt you to reboot the computer.
  • Close the Terminal window and restart back into Windows.
  • Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.

**NOTE: - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.

bash tdl_fix.sh -restore

Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Click OK, and then reboot the computer.
This is a backup of the original mbr and will restore it to it's current state.

Please then rerun aswMBR and post the log.
Posted Image
m0le is a proud member of UNITE

#6 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 18 March 2012 - 08:50 PM

Before I do what you said, m0le, just asking, doing that will absolutely do no harm to my computer right? Please dont misunderstand - when I hear the word boot and format I thought it was going to be like a real format where I will lose everything in this laptop. It is not the case right?

If so I will do it. And also for the USB, so I will lose everything in it since you tell me to format it, am I right?

Also - I have watched the topic, but where do I go for the list of topics I have watched?

Thank you again m0le

Edited by sumosalad, 18 March 2012 - 08:56 PM.


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:14 AM

Posted 18 March 2012 - 09:00 PM

The malware has added a partition to your hard drive. It has also made sure that the system boots to this partition.

TDL fix will safely remove this partition and put the boot command (called a flag) back into the correct partition. The following excerpt from the instructions explains what happens here.

  • If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 2 to select partition 2 then press Enter.
  • When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.


The program will check if there are bootloader files in that partition. If there aren't then it's the wrong one and you get a warning and you can try another partition. The second bullet point shows what happens when the program knows it is the correct partition and here you would type y which puts the flag back. As long as you follow the instructions there should be no problem.

You only have two partition options, 1 and 2. 1 looks like a recovery partition so I would try the boot flag in partition 2 first.


-------------------------------------------------------

To find the list of topics, click your profile box in the top right hand corner, click My Settings. Click the forums tab and then click Manage Watched Topics.
Posted Image
m0le is a proud member of UNITE

#8 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 18 March 2012 - 09:02 PM

Ok m0le, I appreciate the help and I trust that you are an expert at this. But I just would like to make sure that I will lose nothing in mylaptop and USB right?

#9 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 18 March 2012 - 09:32 PM

Ok now I am starting to use the


http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe

But each time I open it, Avast says it is suspicious and that it is being run in Avast's sandbox. Therefore the program keeps closing down, because Avast says it is very suspicious. What to do, M0le? Must I turn off Avast sandbox first?

Edited by sumosalad, 18 March 2012 - 09:40 PM.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:14 AM

Posted 19 March 2012 - 05:12 PM

Yes, disable Avast while we run these tools. :)
Posted Image
m0le is a proud member of UNITE

#11 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 20 March 2012 - 01:26 AM

Hi m0le

I am up to this point (bolded)




Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

Insert your USB drive
Press Start > My Computer > right click your USB drive > choose Format > Quick format
Double click the unetbootin-xpud-windows-387.exe that you just downloaded
Press Run then OK
Select the DiskImage option then click the browse button located on the right side of the textbox field.
Browse to and select the xpud-0.9.2.iso file you downloaded
Verify the correct drive letter is selected for your USB device then click OK
It will install a little bootable OS on your USB device
Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
After it has completed do not choose to reboot the clean computer simply close the installer
Download tdl_fix.sh and save it to the xPUD flash drive.
Plug the flashdrive in and boot into xPUD then click the File tab.
Press File
Expand mnt
----------------


So I have downloaded the tdl fix sh file, put it into my flash drive. Then....I am at a loss of what to do. So I saved the tdl fix, put it into my USB. I dont understand the boot into xPUD then click the File tab.

Hope you will reply again. By the way m0le, what is the severity of this suspicious thing? Surely it is not super super dangerous right? We can do this over a few days right?

Hope to hear back from you, meanwhile I will activate Avast again :)

Edited by sumosalad, 20 March 2012 - 01:48 AM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:14 AM

Posted 20 March 2012 - 04:53 PM

If xPUD has been properly installed it should now be on the flashdrive.

Plug the flashdrive in and boot into xPUD


What this means is you should plug the flashdrive in and then reboot the machine. The xPUD operating system should kick in and it will boot without Windows into a very basic interface. This is the first screen you should see. See here for what it looks like when it has booted - no fancy desktop here!
Posted Image
m0le is a proud member of UNITE

#13 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 20 March 2012 - 07:54 PM

Oh, so I should restart WITH my USB connected?

Ok I will do so, I think its better to write down all the steps since I will not be able to access this site when I am in that mode?

Also m0le how severe is this do you think? I mean, it is not something that is super super urgent right?

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:14 AM

Posted 20 March 2012 - 08:28 PM

It's not super urgent, no. It's quite easy to fix now but it takes a bit of work to do this. You should plug the USB in and then reboot. :)
Posted Image
m0le is a proud member of UNITE

#15 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 21 March 2012 - 12:00 AM

Will I be able to see these intstructions while I am doing this? Should I write them down m0le?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users