Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

cannot remove alureon.a


  • This topic is locked This topic is locked

#31
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Let's see if infection is back. If you didn't uninstall AVP from your system. Closing AVPTool will produce un-installation of the application automatically.

Step 1

If you are transfer file between PCs then first we need to disinfect your USB memory so you can transfer files and not get infected.

Do this on the clean computer:

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

Step 2

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

    :Files
    ipconfig /flushdns /c
    netsh winsock reset catalog /c

    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 3

Delete TDSSKiller from your PC and download new version. Do scan and post log here for me.

Step 4

Just delete aswMBR (if it exists) and download new one.

Download aswMBR.exe ( 511KB ) to your desktop.

  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply

Step 5

Please don't forget to include these items in your reply:

  • OTL fix log
  • TDSSKiller log
  • aswMBR log
It would be helpful if you could post each log in separate post
  • 0

Advertisements


#32
yellowpower123

yellowpower123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
OTL fix log

All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Administrator\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\cmd.txt deleted successfully.
< netsh winsock reset catalog /c >
Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.
C:\Documents and Settings\Administrator\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 2216861100 bytes
->Temporary Internet Files folder emptied: 4820684 bytes
->Java cache emptied: 13424805 bytes
->FireFox cache emptied: 59017831 bytes
->Flash cache emptied: 5960586 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 115334 bytes
->Temporary Internet Files folder emptied: 162896513 bytes
->Java cache emptied: 581 bytes
->Flash cache emptied: 456 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 1162769 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 13085813 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 102662729 bytes

Total Files Cleaned = 2,463.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.24.1 log created on 08072011_033236
  • 0

#33
yellowpower123

yellowpower123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
TDSSKILLER

2011/08/07 16:38:27.0562 2536 TDSS rootkit removing tool 2.5.14.0 Aug 5 2011 16:09:29
2011/08/07 16:38:27.0593 2536 ================================================================================
2011/08/07 16:38:27.0593 2536 SystemInfo:
2011/08/07 16:38:27.0593 2536
2011/08/07 16:38:27.0593 2536 OS Version: 5.1.2600 ServicePack: 2.0
2011/08/07 16:38:27.0593 2536 Product type: Workstation
2011/08/07 16:38:27.0593 2536 ComputerName: HOME
2011/08/07 16:38:27.0593 2536 UserName: Administrator
2011/08/07 16:38:27.0593 2536 Windows directory: C:\WINDOWS
2011/08/07 16:38:27.0593 2536 System windows directory: C:\WINDOWS
2011/08/07 16:38:27.0593 2536 Processor architecture: Intel x86
2011/08/07 16:38:27.0593 2536 Number of processors: 1
2011/08/07 16:38:27.0593 2536 Page size: 0x1000
2011/08/07 16:38:27.0593 2536 Boot type: Normal boot
2011/08/07 16:38:27.0593 2536 ================================================================================
2011/08/07 16:38:29.0734 2536 Initialize success
2011/08/07 16:38:31.0140 1988 ================================================================================
2011/08/07 16:38:31.0140 1988 Scan started
2011/08/07 16:38:31.0140 1988 Mode: Manual;
2011/08/07 16:38:31.0140 1988 ================================================================================
2011/08/07 16:38:32.0750 1988 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/07 16:38:32.0859 1988 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/07 16:38:32.0984 1988 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/08/07 16:38:33.0109 1988 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2011/08/07 16:38:33.0234 1988 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/08/07 16:38:33.0703 1988 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/07 16:38:33.0843 1988 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/07 16:38:33.0937 1988 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/07 16:38:34.0078 1988 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/07 16:38:34.0156 1988 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/07 16:38:34.0296 1988 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/07 16:38:34.0453 1988 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/07 16:38:34.0562 1988 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/07 16:38:34.0656 1988 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/07 16:38:35.0109 1988 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/07 16:38:35.0359 1988 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/07 16:38:35.0718 1988 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/07 16:38:35.0859 1988 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/07 16:38:36.0015 1988 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/07 16:38:36.0234 1988 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/07 16:38:36.0343 1988 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/08/07 16:38:36.0500 1988 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/08/07 16:38:36.0625 1988 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/08/07 16:38:36.0875 1988 FA312 (aa855fb8a866281aacb393c1feab91ae) C:\WINDOWS\system32\DRIVERS\FA312nd5.sys
2011/08/07 16:38:37.0125 1988 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/07 16:38:37.0375 1988 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/08/07 16:38:37.0578 1988 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/07 16:38:37.0812 1988 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/08/07 16:38:38.0031 1988 FltMgr (54fd90f0038f07920cb9fb6591bde82f) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/08/07 16:38:38.0187 1988 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/07 16:38:38.0296 1988 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/07 16:38:38.0484 1988 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/07 16:38:38.0625 1988 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/07 16:38:38.0843 1988 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/07 16:38:39.0109 1988 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/07 16:38:39.0218 1988 ialm (537efe2f9adcd01073f59e9d3d24164e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/08/07 16:38:39.0312 1988 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/07 16:38:39.0484 1988 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/08/07 16:38:39.0687 1988 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/07 16:38:39.0750 1988 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/08/07 16:38:39.0906 1988 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/07 16:38:40.0078 1988 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/07 16:38:40.0250 1988 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/07 16:38:40.0390 1988 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/07 16:38:40.0625 1988 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/07 16:38:40.0750 1988 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/07 16:38:40.0859 1988 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/07 16:38:41.0000 1988 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/08/07 16:38:41.0140 1988 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/07 16:38:41.0312 1988 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/07 16:38:41.0828 1988 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/07 16:38:42.0078 1988 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/07 16:38:42.0187 1988 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/07 16:38:42.0265 1988 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/07 16:38:42.0375 1988 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/07 16:38:42.0515 1988 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/08/07 16:38:42.0734 1988 MpKslaf152371 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D5F1DFE1-1644-4A89-8856-E4C7C4D5FE88}\MpKslaf152371.sys
2011/08/07 16:38:42.0968 1988 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/07 16:38:43.0171 1988 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/07 16:38:43.0296 1988 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/07 16:38:43.0437 1988 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/07 16:38:43.0546 1988 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/07 16:38:43.0953 1988 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/07 16:38:44.0187 1988 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/07 16:38:44.0562 1988 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/07 16:38:44.0781 1988 NAVENG (920d9701bba90dbb7ccfd3536ea4d6f9) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110729.008\naveng.sys
2011/08/07 16:38:45.0187 1988 NAVEX15 (31b1a9b53c3319b97f7874347cd992d2) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110729.008\navex15.sys
2011/08/07 16:38:46.0125 1988 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/07 16:38:46.0328 1988 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/07 16:38:46.0562 1988 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/07 16:38:46.0796 1988 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/07 16:38:46.0937 1988 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/07 16:38:47.0140 1988 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/07 16:38:47.0328 1988 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/07 16:38:47.0515 1988 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/07 16:38:47.0687 1988 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/07 16:38:47.0937 1988 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/07 16:38:48.0125 1988 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/07 16:38:48.0281 1988 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/07 16:38:48.0484 1988 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/08/07 16:38:48.0718 1988 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/07 16:38:48.0890 1988 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/07 16:38:49.0125 1988 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/07 16:38:49.0546 1988 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/08/07 16:38:49.0671 1988 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/07 16:38:50.0171 1988 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/07 16:38:50.0281 1988 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/07 16:38:50.0500 1988 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/07 16:38:50.0906 1988 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/07 16:38:51.0093 1988 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/07 16:38:51.0171 1988 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/07 16:38:51.0250 1988 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/07 16:38:51.0343 1988 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/07 16:38:51.0609 1988 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/07 16:38:51.0921 1988 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/08/07 16:38:52.0328 1988 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/07 16:38:52.0546 1988 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/07 16:38:52.0875 1988 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
2011/08/07 16:38:52.0921 1988 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2011/08/07 16:38:53.0093 1988 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/07 16:38:53.0250 1988 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/08/07 16:38:53.0421 1988 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/08/07 16:38:53.0578 1988 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/07 16:38:53.0859 1988 smwdm (eba50c8f7efd8178e8c4bde6b74e744c) C:\WINDOWS\system32\drivers\smwdm.sys
2011/08/07 16:38:54.0140 1988 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/08/07 16:38:54.0359 1988 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/07 16:38:54.0484 1988 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/07 16:38:54.0687 1988 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/07 16:38:54.0859 1988 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/07 16:38:54.0937 1988 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/07 16:38:55.0218 1988 SymEvent (de6d1102d55926354171ae4e73936725) C:\Program Files\Symantec\SYMEVENT.SYS
2011/08/07 16:38:55.0328 1988 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/08/07 16:38:55.0484 1988 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/08/07 16:38:55.0843 1988 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/07 16:38:56.0015 1988 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/07 16:38:56.0156 1988 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/07 16:38:56.0234 1988 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/07 16:38:56.0375 1988 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/07 16:38:56.0531 1988 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/07 16:38:56.0750 1988 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/07 16:38:56.0875 1988 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/07 16:38:57.0031 1988 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/07 16:38:57.0109 1988 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/07 16:38:57.0218 1988 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/08/07 16:38:57.0312 1988 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/07 16:38:57.0390 1988 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/07 16:38:57.0500 1988 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/07 16:38:57.0562 1988 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/08/07 16:38:57.0812 1988 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/07 16:38:58.0078 1988 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/07 16:38:58.0406 1988 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/07 16:38:58.0625 1988 WinDriver6 (80740a5d05f188afa42e181269abbe0b) C:\WINDOWS\system32\drivers\windrvr6.sys
2011/08/07 16:38:58.0984 1988 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/07 16:38:59.0125 1988 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/07 16:38:59.0250 1988 {6080A529-897E-4629-A488-ABA0C29B635E} (e6c22d34baef5196e1b23a4492c275b7) C:\WINDOWS\system32\drivers\ialmsbw.sys
2011/08/07 16:38:59.0406 1988 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (6e53bd96b0ebad721cdd6320dbfc3f5f) C:\WINDOWS\system32\drivers\ialmkchw.sys
2011/08/07 16:38:59.0468 1988 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/08/07 16:39:00.0343 1988 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR2
2011/08/07 16:39:00.0375 1988 Boot (0x1200) (44cf9a9fef48e65ad000bdb7c189855d) \Device\Harddisk0\DR0\Partition0
2011/08/07 16:39:00.0390 1988 Boot (0x1200) (9432dd1f244180d783ff3fb843b454a8) \Device\Harddisk1\DR2\Partition0
2011/08/07 16:39:00.0406 1988 ================================================================================
2011/08/07 16:39:00.0406 1988 Scan finished
2011/08/07 16:39:00.0406 1988 ================================================================================
2011/08/07 16:39:00.0437 2516 Detected object count: 0
2011/08/07 16:39:00.0437 2516 Actual detected object count: 0
  • 0

#34
yellowpower123

yellowpower123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-07 16:41:29
-----------------------------
16:41:29.062 OS Version: Windows 5.1.2600 Service Pack 2
16:41:29.062 Number of processors: 1 586 0x209
16:41:29.062 ComputerName: HOME UserName:
16:41:37.484 Initialize success
16:43:52.890 AVAST engine defs: 11080701
16:44:48.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:44:48.734 Disk 0 Vendor: WDC_WD400BB-22JHC0 05.01C05 Size: 38166MB BusType: 3
16:44:48.750 Disk 1 \Device\Harddisk1\DR2 -> \Device\00000069
16:44:48.750 Disk 1 Vendor: Size: 38166MB BusType: 0
16:44:50.812 Disk 0 MBR read successfully
16:44:50.812 Disk 0 MBR scan
16:44:52.265 Disk 0 Windows XP default MBR code
16:44:52.390 Disk 0 scanning sectors +78140160
16:44:52.765 Disk 0 scanning C:\WINDOWS\system32\drivers
16:46:03.187 Service scanning
16:46:05.312 Service MpKslaf152371 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D5F1DFE1-1644-4A89-8856-E4C7C4D5FE88}\MpKslaf152371.sys **LOCKED** 32
16:46:06.312 Modules scanning
16:47:41.750 Disk 0 trace - called modules:
16:47:41.796 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86314860]<<
16:47:41.796 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86376ab8]
16:47:47.390 AVAST engine scan C:\WINDOWS
16:50:51.078 AVAST engine scan C:\WINDOWS\system32
17:01:15.421 AVAST engine scan C:\WINDOWS\system32\drivers
17:01:47.796 AVAST engine scan C:\Documents and Settings\Administrator
17:08:44.875 AVAST engine scan C:\Documents and Settings\All Users
17:09:19.765 Scan finished successfully
19:06:29.421 Disk 0 MBR has been saved successfully to "F:\MBR.dat"
19:06:29.531 The log file has been saved successfully to "F:\aswMBR log 2.txt"
19:10:32.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
19:10:32.359 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
19:11:54.859 Disk 0 MBR has been saved successfully to "F:\MBR.dat"
19:11:54.890 The log file has been saved successfully to "F:\aswMBR log 2.txt"

Edited by yellowpower123, 07 August 2011 - 05:12 PM.

  • 0

#35
yellowpower123

yellowpower123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
For the aswMBR - this was highlighted yellow
16:46:05.312 Service MpKslaf152371 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D5F1DFE1-1644-4A89-8856-E4C7C4D5FE88}\MpKslaf152371.sys **LOCKED** 32

This was in red:
16:47:41.796 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8631480]<<

(I saved the log to my desktop & my flashdrive )

Edited by yellowpower123, 07 August 2011 - 05:11 PM.

  • 0

#36
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi yellowpower123,

Do you have Recovery partition on this PC? Usually brand name PC have it and it can be access while booting your system.
  • 0

#37
yellowpower123

yellowpower123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
I reformatted my comp before but I dont see a recovery partition...I'm not sure how to access . This is an old computer someone gave to me, so I don't even have the restore CD for it but only a reformat one.

Just a side note: Before when I got another trojan, I used system restore (the one on the computer) and restored the comp to when the virus wasnt there. Then, I read that I should turn restore off until I could delete the virus so that the comp wont make checkpoints when my comp is infected. I wasn't sure if going back to a previous state can get rid of the trojan so, currently the system restore is off and I'm afriad to reformat my computer because I'm not sure how that will affect it.

Edited by yellowpower123, 09 August 2011 - 10:48 PM.

  • 0

#38
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
It's always better to turn your system restore ON. That is the best solution. Let's try to fix your PC.

Re-Run aswMBR

  • Click Scan
  • On completion of the scan
  • Click the FIXMBR Button
  • Save the log as before and post in your next reply

  • 0

#39
yellowpower123

yellowpower123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Should I do that now or later (turn on sys restore)? If now, can you tell me how?

On the last scan, I was able to update the aswMBR virus definition when aswMBR ask me if I want to update. This time, for some reason, the internet doesn't work.It was very laggy today --every few seconds and finally the scan existed for no reason. Then, when I click on the scan again, it started scanning. However, only 1 application was in yellow. It seemed as though the one that was in red last time disappeared, which is weird because I haven't touched the computer since. So I wonder if the new virus definition would make a difference...Should I proceed with the FixMBR or delete and install the aswMBR again?

If I should go and use FixMBR--When I was about to use fixMBR it had a warning sign saying "writing a new master boot record to your system partition could damage your partition tables and cause your partition to become inaccessible" --it would be ok to do it anyways right?


Also, I turned Microsoft Essentials auto-scan off just now because it detected a tool called "VirTool:win32/VBInjet.gen!EO" which it said "this program si used to create virus, worms and other malware" and just automatically removed it without my consent. This was after the ASWMBR scan was done, so it wasn't this that got rid of whatever that was in red initially. Is that the right choice to turn it off?
  • 0

#40
yellowpower123

yellowpower123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Here is the log before the fixMBR

aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-12 00:15:53
-----------------------------
00:15:53.890 OS Version: Windows 5.1.2600 Service Pack 2
00:15:53.890 Number of processors: 1 586 0x209
00:15:53.890 ComputerName: HOME UserName:
00:15:55.296 Initialize success
00:18:40.734 AVAST engine download error: 0
00:18:40.734 AVAST engine defs: 11080701
00:19:59.750 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
00:19:59.750 Disk 0 Vendor: WDC_WD400BB-22JHC0 05.01C05 Size: 38166MB BusType: 3
00:20:01.765 Disk 0 MBR read successfully
00:20:01.765 Disk 0 MBR scan
00:20:01.765 Disk 0 Windows XP default MBR code
00:20:01.765 Disk 0 scanning sectors +78140160
00:20:01.828 Disk 0 scanning C:\WINDOWS\system32\drivers
00:20:08.265 Service scanning
00:20:09.468 Service MpKsleddf507d c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D5F1DFE1-1644-4A89-8856-E4C7C4D5FE88}\MpKsleddf507d.sys **LOCKED** 3200:20:10.156 Modules scanning
00:20:18.187 Disk 0 trace - called modules:
00:20:18.203 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
00:20:18.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86377ab8]
00:20:18.703 3 CLASSPNP.SYS[f764c05b] -> nt!IofCallDriver -> \Device\0000005e[0x86394258]
00:20:18.703 5 ACPI.sys[f75c2620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86390940]
00:20:19.000 AVAST engine scan C:\WINDOWS
00:20:31.859 AVAST engine scan C:\WINDOWS\system32
00:23:09.859 AVAST engine scan C:\WINDOWS\system32\drivers
00:23:24.937 AVAST engine scan C:\Documents and Settings\Administrator
00:27:27.078 AVAST engine scan C:\Documents and Settings\All Users
00:27:56.953 Scan finished successfully
00:31:17.718 Disk 0 MBR has been saved successfully to "F:\MBR.dat"
00:31:17.750 The log file has been saved successfully to "F:\aswMBR before fixmbr.txt"
  • 0

Advertisements


#41
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi yellowpower123,

aswMBR log looks cleaner now. How is your system now? Do you have Internet back?
  • 0

#42
yellowpower123

yellowpower123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
That's weird because I didn't do the fixMBR yet
Microsoft essentials--before I turned it off--said that it detected a threat on the computer
My internet is back yet, which is weird because it's directly hooked like before and it worked before but not now so I don't think it's the internet that's the problem.
  • 0

#43
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
This is strange... Maybe Microsoft essentials changed something. Dr.Web can take some time to finish but I would really like to see the log from it...

Step 1

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
  • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, select Complete scan.
  • Complete scan sometimes takes up to 3 hours to finish so please be patient.
  • Click the green arrow Posted Image at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Step 2

  • Run OTL.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the "Scan All User" checkbox
  • Change "Extra Registry" option to "SafeList"
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows OTL.txt and Extra.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this files, and post it with your next reply.

Step 3

Please don't forget to include these items in your reply:

  • Dr.Web log
  • OTL log
  • OTL Extras log
It would be helpful if you could post each log in separate post
  • 0

#44
yellowpower123

yellowpower123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
or it could be the symantec antivirus which deletes things automatically too---I'll turn that off then.
  • 0

#45
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Please can you confirm that you have two antivirus software installed on your system? If this is the case than you must remove one from your system.

Microsoft Security Essentials and Symantec

Please leave only one antivirus protection on your system and remove all other.

Anti-Virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP