Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows XP virus, svchost.exe draining processor speed


  • Please log in to reply

#1
darkthief33

darkthief33

    New Member

  • Member
  • Pip
  • 2 posts
About a month and a half ago a virus was put on the computer at the place i work. I've tried a few basic things running malware-bytes and glancing at a hijackthis log to see if there was anything overt i could see that could be causing it. When we first turn on the computer it runs normally for around 10 minutes before processor speed drops dramatically very quickly. If you close the svchost.exe thats running the computer will perform almost normally for another 10 minutes or so (though you lose access to the run32dll so you can't open most system assets like the volume control and the like.

When you open IE (only browser my boss wants.. i know :)) it will open up and additional popup to a random site and then again once every like 10 minutes. Also, recently the last few days the computer has started to completely freeze up after about 15 minutes and needs to be reset. I'm going to be off the next two days but i will check on this forum on thursday and see what you guys think. This is the OTL log

OTL logfile created on: 6/20/2011 7:19:32 PM - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Documents and Settings\t2\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.23 Gb Available Physical Memory | 61.93% Memory free
2.58 Gb Paging File | 1.94 Gb Available in Paging File | 75.22% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 1.68 Gb Free Space | 4.50% Space Free | Partition Type: NTFS
Drive D: | 2.87 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: MVP2010 | User Name: t2 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/20 19:19:18 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\t2\Desktop\OTL.exe
PRC - [2011/05/29 09:11:28 | 000,449,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/05/29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/05/14 12:44:46 | 000,501,480 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2010/03/10 14:26:48 | 000,189,728 | ---- | M] (Protexis Inc.) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/10/14 11:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [1998/09/04 00:09:08 | 000,119,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MDM.EXE


========== Modules (SafeList) ==========

MOD - [2011/06/20 19:19:18 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\t2\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (avgwd)
SRV - File not found [Disabled | Stopped] -- -- (AVGIDSAgent)
SRV - File not found [Disabled | Stopped] -- -- (AVG Security Toolbar Service)
SRV - [2011/05/29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/04/16 10:03:12 | 000,386,424 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\supportsoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)
SRV - [2010/03/10 14:26:48 | 000,189,728 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/12/08 05:12:38 | 000,251,728 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/11/12 14:19:38 | 000,299,984 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2010/09/07 04:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2010/08/19 22:42:38 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2010/08/19 22:42:36 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/08/19 22:42:34 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2007/06/25 19:21:00 | 000,081,920 | R--- | M] (SIIG, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\siigpar.sys -- (siigpar)
DRV - [2005/10/27 16:36:52 | 000,393,088 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/09/14 14:55:44 | 000,088,960 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4A 22 A0 BF 85 86 CB 01 [binary data]
IE - HKCU\..\URLSearchHook: {37153479-1976-43c3-a1ee-557513977b64} - C:\Program Files\Coupons.com\prxtbCou0.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\


Hosts file not found
O2 - BHO: (Coupons.com Toolbar) - {37153479-1976-43c3-a1ee-557513977b64} - C:\Program Files\Coupons.com\prxtbCou0.dll (Conduit Ltd.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - File not found
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Coupons.com Toolbar) - {37153479-1976-43c3-a1ee-557513977b64} - C:\Program Files\Coupons.com\prxtbCou0.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Coupons.com Toolbar) - {37153479-1976-43C3-A1EE-557513977B64} - C:\Program Files\Coupons.com\prxtbCou0.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: mvpizza02 ([]file in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\t2\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\t2\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/11/02 20:01:43 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/20 19:20:18 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/06/20 19:19:16 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\t2\Desktop\OTL.exe
[2011/06/20 19:10:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\t2\Start Menu\Programs\HiJackThis
[2011/06/16 20:47:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2011/06/13 18:00:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/06/13 17:59:40 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/06/06 17:18:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Coupons.com
[2011/06/06 17:18:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2011/06/03 03:37:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2011/06/02 20:57:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2011/06/02 20:57:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2011/06/02 20:53:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG 2011
[2011/06/02 19:22:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\t2\Application Data\Malwarebytes
[2011/06/02 19:21:55 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/06/02 19:21:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/02 19:21:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/06/02 19:21:52 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/06/02 19:21:51 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/02 18:55:42 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/06/02 18:16:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/06/02 17:54:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/06/02 17:54:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/06/02 15:53:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/06/02 15:53:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[1998/12/08 22:53:54 | 000,186,368 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAREG.DLL
[1998/12/08 22:53:54 | 000,099,840 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRAABOUT.DLL
[1998/12/08 22:53:54 | 000,070,144 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAMDMTR.DLL
[1998/12/08 22:53:54 | 000,048,640 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRALPTTR.DLL
[1998/12/08 22:53:54 | 000,031,744 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAWEBTR.DLL
[1998/12/08 22:53:54 | 000,017,920 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRASRIAL.DLL
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/20 19:22:52 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/20 19:19:18 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\t2\Desktop\OTL.exe
[2011/06/20 19:10:25 | 000,002,441 | ---- | M] () -- C:\Documents and Settings\t2\Desktop\HiJackThis.lnk
[2011/06/20 19:09:49 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\t2\Desktop\HijackThis.msi
[2011/06/20 19:08:41 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/20 19:08:40 | 000,000,874 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/20 19:08:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/20 18:57:13 | 000,001,770 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/06/20 18:56:01 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/20 17:18:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/06/14 15:27:32 | 000,010,240 | ---- | M] () -- C:\Documents and Settings\t2\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/13 18:00:49 | 000,001,583 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/06/03 17:01:34 | 000,002,491 | ---- | M] () -- C:\Documents and Settings\t2\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word.lnk
[2011/06/02 19:21:55 | 000,000,825 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/02 19:12:07 | 000,000,103 | ---- | M] () -- C:\Documents and Settings\t2\Desktop\fix.reg
[2011/06/02 19:11:56 | 000,000,103 | ---- | M] () -- C:\Documents and Settings\t2\My Documents\fix.reg
[2011/06/02 18:16:57 | 117,051,341 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2011/06/02 15:49:13 | 000,002,477 | ---- | M] () -- C:\Documents and Settings\t2\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft PowerPoint.lnk
[2011/06/02 15:43:56 | 000,006,458 | -HS- | M] () -- C:\Documents and Settings\t2\Local Settings\Application Data\pc3fb5o7dj15413m2502x17m674vok55g06o5n000
[2011/06/02 15:43:56 | 000,006,458 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\pc3fb5o7dj15413m2502x17m674vok55g06o5n000
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/20 19:10:22 | 000,002,441 | ---- | C] () -- C:\Documents and Settings\t2\Desktop\HiJackThis.lnk
[2011/06/20 19:09:47 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\t2\Desktop\HijackThis.msi
[2011/06/13 18:00:49 | 000,001,583 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/06/02 19:21:55 | 000,000,825 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/02 19:12:07 | 000,000,103 | ---- | C] () -- C:\Documents and Settings\t2\Desktop\fix.reg
[2011/06/02 19:11:44 | 000,000,103 | ---- | C] () -- C:\Documents and Settings\t2\My Documents\fix.reg
[2011/06/02 15:53:51 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/02 15:40:27 | 000,006,458 | -HS- | C] () -- C:\Documents and Settings\t2\Local Settings\Application Data\pc3fb5o7dj15413m2502x17m674vok55g06o5n000
[2011/06/02 15:40:27 | 000,006,458 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\pc3fb5o7dj15413m2502x17m674vok55g06o5n000
[2011/05/19 11:42:29 | 000,142,828 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/03/29 18:50:26 | 000,555,504 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/03/07 16:52:00 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\t2\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/02 21:11:55 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/11/02 21:11:53 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2010/11/02 21:10:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI
[2010/11/02 20:04:24 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/11/02 19:58:39 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/11/02 14:37:58 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/11/02 14:36:46 | 000,731,432 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/02/28 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 08:00:00 | 000,441,124 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 08:00:00 | 000,071,060 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/08/06 16:23:08 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[1999/01/22 14:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2011/06/02 20:57:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2011/01/13 09:52:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/05/03 11:55:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\cH31001FdJlA31001
[2010/11/02 21:33:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/05/26 17:16:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/05/18 20:49:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/11/17 14:17:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\t2\Application Data\AVG10
[2011/06/20 17:46:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\t2\Application Data\Azureus

========== Purity Check ==========



< End of report >
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,330 posts
  • MVP
Uninstall anything from Conduit or calling itself Coupons. Does not belong on a business computer.

Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml


Copy the text in the code box by highlighting and Ctrl + c

:OTL
IE - HKCU\..\URLSearchHook: {37153479-1976-43c3-a1ee-557513977b64} - C:\Program Files\Coupons.com\prxtbCou0.dll (Conduit Ltd.)
O2 - BHO: (Coupons.com Toolbar) - {37153479-1976-43c3-a1ee-557513977b64} - C:\Program Files\Coupons.com\prxtbCou0.dll (Conduit Ltd.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - File not found
O3 - HKLM\..\Toolbar: (Coupons.com Toolbar) - {37153479-1976-43c3-a1ee-557513977b64} - C:\Program Files\Coupons.com\prxtbCou0.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Coupons.com Toolbar) - {37153479-1976-43C3-A1EE-557513977B64} - C:\Program Files\Coupons.com\prxtbCou0.dll (Conduit Ltd.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
[2011/06/02 15:43:56 | 000,006,458 | -HS- | M] () -- C:\Documents and Settings\t2\Local Settings\Application Data\pc3fb5o7dj15413m2502x17m674vok55g06o5n000
[2011/06/02 15:43:56 | 000,006,458 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\pc3fb5o7dj15413m2502x17m674vok55g06o5n000
[2011/05/03 11:55:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\cH31001FdJlA31001

     
:Commands
[RESETHOSTS]
[purity]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and select either the UAll option in the Extra Registry group, Also change the file age to 120 days then hit the Run Scan button. Post the two logs it produces in your next reply.

Run MBAM again, Quick scan. Make sure it updates first. Copy and paste the log.

We need to run Combofix but it won't run with AVG so we need to uninstall it. We will replace it with the free Avast so you won't be without an A-V.

Download and save the AVG removal tool
http://download.avg....6_2011_1184.exe
Don't run it yet.

Download and save the free Avast installer:
http://www.avast.com...ivirus-download
Don't run it yet.

Uninstall AVG with the Control Panel, Add/Remove Programs.

Run the AVG removal tool

Run the Avast installer. (Note as a business you aren't really allowed to keep Avast without paying them but they don't mind you trying it for 30 days.)

ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply
Posted Image

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Ron
  • 0

#3
darkthief33

darkthief33

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I completed all the steps but there was one small hiccup. I ran the avg remover before combofix but combofix said it was still present, even though i had removed it through addremove progrems almost a month ago and deleted all the files and ran that remover. It didn't appear to influence anything as nothing is broken (as far as i can tell). as i go to post these logs i realized that i never ran otl again =\ i did the copy and paste you asked me to but apparently didn't save that log and never ran it again and saved the two logs it posted :). i'll post the rest of the logs though and i'll run that scan again if you ask. Skipping the second direction doesn't look very good on me.


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6931

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/23/2011 5:27:26 PM
mbam-log-2011-06-23 (17-27-26).txt

Scan type: Quick scan
Objects scanned: 191421
Time elapsed: 14 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\t2\local settings\Temp\0.8717793865186131.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.







ComboFix 11-06-23.01 - t2 06/23/2011 18:27:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1657 [GMT -4:00]
Running from: c:\documents and settings\t2\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\t2\Application Data\Adobe\plugs
c:\documents and settings\t2\Application Data\Adobe\shed
c:\windows\system32\bszip.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-05-23 to 2011-06-23 )))))))))))))))))))))))))))))))
.
.
2011-06-23 22:23 . 2011-06-23 22:23 -------- d-----w- c:\windows\LastGood
2011-06-23 21:49 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-06-23 21:49 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-06-23 21:49 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-06-23 21:49 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-06-23 21:49 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-23 21:49 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-06-23 21:49 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-06-23 21:49 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-06-23 21:48 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-06-23 21:48 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-06-23 21:48 . 2011-06-23 21:48 -------- d-----w- c:\program files\AVAST Software
2011-06-23 21:48 . 2011-06-23 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-06-23 20:55 . 2011-06-23 20:55 -------- d-----w- c:\program files\Common Files\Java
2011-06-23 20:27 . 2011-06-23 20:27 -------- d-----w- C:\_OTL
2011-06-20 23:10 . 2011-06-20 23:10 388096 ----a-r- c:\documents and settings\t2\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-19 17:27 . 2011-06-19 17:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-17 00:47 . 2011-06-17 00:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-06-13 21:59 . 2011-06-13 21:59 -------- d-----w- c:\program files\iPod
2011-06-07 16:35 . 2011-06-07 16:35 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-06-06 21:18 . 2011-06-06 21:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Coupons.com
2011-06-06 21:18 . 2011-06-06 21:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2011-06-02 23:22 . 2011-06-02 23:22 -------- d-----w- c:\documents and settings\t2\Application Data\Malwarebytes
2011-06-02 23:21 . 2011-06-02 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-02 23:21 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-02 23:21 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 23:21 . 2011-06-02 23:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-02 22:55 . 2011-06-02 22:55 -------- d-----w- c:\program files\Trend Micro
2011-06-02 22:16 . 2011-06-02 22:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-06-02 20:22 . 2011-06-02 20:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 12:06 . 2011-05-19 00:46 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 12:06 . 2011-05-19 00:46 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-04 08:52 . 2010-11-27 20:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2010-11-27 20:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-29 23:54 . 2010-11-17 00:26 249856 ------w- c:\windows\Setup1.exe
2011-03-29 23:54 . 2010-11-17 00:26 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-03-29 20:56 . 2011-03-29 20:56 348256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\CorelPHOTOPAINT\9.0\1033\ResourceCache.dll
2011-03-29 20:55 . 2011-03-29 20:55 348256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\CorelDRAW\9.0\1033\ResourceCache.dll
2011-03-29 20:54 . 2011-03-29 20:54 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-11-5 811008]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/23/2011 5:49 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/23/2011 5:49 PM 307928]
R1 siigpar;SIIG Parallel port driver;c:\windows\system32\drivers\siigpar.sys [11/16/2010 8:24 PM 81920]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/23/2011 5:49 PM 19544]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/2/2011 7:21 PM 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/2/2011 7:21 PM 22712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/17/2010 2:36 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/17/2010 2:36 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/2/2011 7:21 PM 39984]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWSNX
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-17 18:36]
.
2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-17 18:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: mvpizza02
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-23 19:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BB-23FJA0 rev.13.03G13 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89B3831B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\04\01\12\15\103\0f"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(784)
c:\windows\system32\WININET.dll
.
Completion time: 2011-06-23 19:20:32
ComboFix-quarantined-files.txt 2011-06-23 23:20
.
Pre-Run: 5,884,329,984 bytes free
Post-Run: 7,364,554,752 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 712F0A8540016B0C3FF8A84414824309



aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-06-23 19:25:13
-----------------------------
19:25:13.515 OS Version: Windows 5.1.2600 Service Pack 3
19:25:13.515 Number of processors: 2 586 0x401
19:25:13.515 ComputerName: MVP2010 UserName: t2
19:25:14.406 Initialize success
19:25:14.515 AVAST engine defs: 11062301
19:25:30.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
19:25:30.875 Disk 0 Vendor: WDC_WD400BB-23FJA0 13.03G13 Size: 38162MB BusType: 3
19:25:30.875 Device \Driver\atapi -> DriverStartIo 89b3831b
19:25:32.890 Disk 0 MBR read successfully
19:25:32.890 Disk 0 MBR scan
19:25:32.890 Disk 0 MBR:Alureon-G [Rtk]
19:25:32.890 Disk 0 [email protected] code has been found
19:25:32.890 Disk 0 Windows XP default MBR code found via API
19:25:32.890 Disk 0 MBR hidden
19:25:32.890 Disk 0 MBR [TDL4] **ROOTKIT**
19:25:32.890 Disk 0 trace - called modules:
19:25:32.890 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89b384d0]<<
19:25:32.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89b9dab8]
19:25:32.890 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\0000005f[0x89b6e9e8]
19:25:32.890 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> [0x89bbbb00]
19:25:32.890 \Driver\atapi[0x89be7630] -> IRP_MJ_CREATE -> 0x89b384d0
19:25:33.218 AVAST engine scan C:\WINDOWS
19:40:42.703 AVAST engine scan C:\Documents and Settings\t2
19:43:14.156 AVAST engine scan C:\Documents and Settings\All Users
19:48:00.140 Scan finished successfully
19:53:17.828 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\t2\Desktop\virus removal\MBR.dat"
19:53:17.859 The log file has been saved successfully to "C:\Documents and Settings\t2\Desktop\virus removal\aswMBR.txt"





2011/06/23 19:54:23.0328 3492 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15
2011/06/23 19:54:23.0671 3492 ================================================================================
2011/06/23 19:54:23.0671 3492 SystemInfo:
2011/06/23 19:54:23.0671 3492
2011/06/23 19:54:23.0671 3492 OS Version: 5.1.2600 ServicePack: 3.0
2011/06/23 19:54:23.0671 3492 Product type: Workstation
2011/06/23 19:54:23.0671 3492 ComputerName: MVP2010
2011/06/23 19:54:23.0671 3492 UserName: t2
2011/06/23 19:54:23.0671 3492 Windows directory: C:\WINDOWS
2011/06/23 19:54:23.0671 3492 System windows directory: C:\WINDOWS
2011/06/23 19:54:23.0671 3492 Processor architecture: Intel x86
2011/06/23 19:54:23.0671 3492 Number of processors: 2
2011/06/23 19:54:23.0671 3492 Page size: 0x1000
2011/06/23 19:54:23.0671 3492 Boot type: Normal boot
2011/06/23 19:54:23.0671 3492 ================================================================================
2011/06/23 19:54:24.0765 3492 Initialize success
2011/06/23 19:54:29.0109 3440 ================================================================================
2011/06/23 19:54:29.0109 3440 Scan started
2011/06/23 19:54:29.0109 3440 Mode: Manual;
2011/06/23 19:54:29.0109 3440 ================================================================================
2011/06/23 19:54:30.0546 3440 Aavmker4 (3f6884eff406238d39aaa892218f1df7) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/06/23 19:54:30.0750 3440 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/23 19:54:30.0843 3440 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/06/23 19:54:30.0953 3440 aeaudio (9f59ae2de835641fbb0c6afd80d8fa9b) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/06/23 19:54:31.0062 3440 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/06/23 19:54:31.0171 3440 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/06/23 19:54:31.0468 3440 aswFsBlk (7f08d9c504b015d81a8abd75c80028c5) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/06/23 19:54:31.0578 3440 aswMon2 (c2181ef6b54752273a0759a968c59279) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/06/23 19:54:31.0687 3440 aswRdr (ac48bdd4cd5d44af33087c06d6e9511c) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/06/23 19:54:31.0843 3440 aswSnx (b64134316fcd1f20e0f10ef3e65bd522) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/06/23 19:54:32.0031 3440 aswSP (d6788e3211afa9951ed7a4d617f68a4f) C:\WINDOWS\system32\drivers\aswSP.sys
2011/06/23 19:54:32.0140 3440 aswTdi (4d100c45517809439c7b6dd98997fa00) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/06/23 19:54:32.0234 3440 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/23 19:54:32.0328 3440 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/23 19:54:32.0453 3440 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/23 19:54:32.0562 3440 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/23 19:54:32.0625 3440 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/23 19:54:32.0828 3440 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/23 19:54:32.0937 3440 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/23 19:54:33.0046 3440 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/23 19:54:33.0156 3440 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/23 19:54:33.0437 3440 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/23 19:54:33.0546 3440 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/23 19:54:33.0703 3440 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/23 19:54:33.0796 3440 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/23 19:54:33.0875 3440 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/23 19:54:34.0015 3440 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/23 19:54:34.0125 3440 E1000 (4beb6f44b0dc94af9fb20e97ab7ad47c) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2011/06/23 19:54:34.0218 3440 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/06/23 19:54:34.0328 3440 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/23 19:54:34.0421 3440 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/06/23 19:54:34.0484 3440 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/23 19:54:34.0593 3440 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/06/23 19:54:34.0718 3440 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/06/23 19:54:34.0828 3440 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/23 19:54:34.0906 3440 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/23 19:54:35.0046 3440 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/06/23 19:54:35.0125 3440 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/23 19:54:35.0203 3440 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/06/23 19:54:35.0359 3440 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/23 19:54:35.0843 3440 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/23 19:54:36.0171 3440 ialm (0294a30b302ca71a2c26e582dda93486) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/06/23 19:54:36.0296 3440 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/23 19:54:36.0437 3440 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/06/23 19:54:36.0515 3440 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/06/23 19:54:36.0593 3440 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/06/23 19:54:36.0671 3440 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/06/23 19:54:36.0781 3440 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/23 19:54:36.0843 3440 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/23 19:54:36.0953 3440 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/23 19:54:37.0062 3440 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/23 19:54:37.0156 3440 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/23 19:54:37.0234 3440 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/23 19:54:37.0312 3440 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/06/23 19:54:37.0406 3440 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/23 19:54:37.0500 3440 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/23 19:54:37.0671 3440 MBAMProtector (3d2c13377763eeac0ca6fb46f57217ed) C:\WINDOWS\system32\drivers\mbam.sys
2011/06/23 19:54:37.0734 3440 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/06/23 19:54:37.0828 3440 MidiSyn (8c7d037a53b495e7c250fd70b158b581) C:\WINDOWS\system32\drivers\MidiSyn.sys
2011/06/23 19:54:37.0906 3440 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/23 19:54:38.0031 3440 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/23 19:54:38.0125 3440 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/23 19:54:38.0218 3440 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/06/23 19:54:38.0312 3440 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/23 19:54:38.0453 3440 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/23 19:54:38.0609 3440 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/23 19:54:38.0750 3440 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/23 19:54:38.0828 3440 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/23 19:54:38.0890 3440 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/23 19:54:38.0953 3440 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/23 19:54:39.0031 3440 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/23 19:54:39.0140 3440 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/23 19:54:39.0281 3440 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/23 19:54:39.0375 3440 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/23 19:54:39.0406 3440 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/23 19:54:39.0515 3440 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/23 19:54:39.0562 3440 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/23 19:54:39.0671 3440 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/23 19:54:39.0781 3440 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/23 19:54:39.0937 3440 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/23 19:54:40.0062 3440 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/23 19:54:40.0171 3440 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/23 19:54:40.0234 3440 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/23 19:54:40.0296 3440 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/23 19:54:40.0375 3440 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/06/23 19:54:40.0437 3440 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/23 19:54:40.0578 3440 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/23 19:54:40.0671 3440 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/23 19:54:40.0812 3440 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/06/23 19:54:40.0859 3440 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/06/23 19:54:41.0156 3440 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/23 19:54:41.0234 3440 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/23 19:54:41.0281 3440 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/23 19:54:41.0468 3440 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/23 19:54:41.0546 3440 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/23 19:54:41.0609 3440 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/23 19:54:41.0687 3440 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/23 19:54:41.0812 3440 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/23 19:54:41.0906 3440 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/23 19:54:42.0000 3440 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/06/23 19:54:42.0109 3440 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/23 19:54:42.0234 3440 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/23 19:54:42.0375 3440 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/23 19:54:42.0468 3440 senfilt (7a05f0bc834446c72ebc0ed846f37847) C:\WINDOWS\system32\drivers\senfilt.sys
2011/06/23 19:54:42.0562 3440 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/06/23 19:54:42.0671 3440 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/06/23 19:54:42.0750 3440 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/23 19:54:42.0875 3440 siigpar (e9e34d64c1efde2eb2b3488e4908c4fb) C:\WINDOWS\system32\DRIVERS\siigpar.sys
2011/06/23 19:54:43.0015 3440 smwdm (1319ea66a96250d59665d133c0ff7cd0) C:\WINDOWS\system32\drivers\smwdm.sys
2011/06/23 19:54:43.0156 3440 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/23 19:54:43.0281 3440 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/23 19:54:43.0343 3440 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/23 19:54:43.0484 3440 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/23 19:54:43.0546 3440 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/23 19:54:43.0734 3440 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/23 19:54:43.0890 3440 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/23 19:54:44.0000 3440 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/23 19:54:44.0062 3440 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/23 19:54:44.0140 3440 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/23 19:54:44.0296 3440 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/23 19:54:44.0421 3440 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/23 19:54:44.0546 3440 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/06/23 19:54:44.0640 3440 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/06/23 19:54:44.0687 3440 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/23 19:54:44.0765 3440 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/23 19:54:44.0859 3440 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/06/23 19:54:44.0937 3440 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/23 19:54:45.0031 3440 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/23 19:54:45.0109 3440 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/06/23 19:54:45.0265 3440 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/23 19:54:45.0421 3440 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/23 19:54:45.0531 3440 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/23 19:54:45.0671 3440 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/06/23 19:54:45.0765 3440 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/06/23 19:54:45.0812 3440 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/06/23 19:54:45.0828 3440 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/06/23 19:54:45.0828 3440 ================================================================================
2011/06/23 19:54:45.0828 3440 Scan finished
2011/06/23 19:54:45.0828 3440 ================================================================================
2011/06/23 19:54:45.0843 3348 Detected object count: 1
2011/06/23 19:54:45.0843 3348 Actual detected object count: 1
2011/06/23 19:54:54.0171 3348 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/06/23 19:54:54.0171 3348 \Device\Harddisk0\DR0 - ok
2011/06/23 19:54:54.0171 3348 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/06/23 19:54:58.0921 0700 Deinitialize success
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,330 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

SecCenter::
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1]

Registry::
[-HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
[-HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1]

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

Run TDSSKiller again to make sure it was able to fix the problem it found.

Then run aswMBR again and if the FIX button (not the FixMBR button) is enabled, press it and post the resulting log. If not just post the log.

Run OTL and post both logs (the step you skipped)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP