Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cannot remove "Trojan horse PSW.Generic9.RDX"

Started by me4ever3131 , Jan 22 2012 08:57 PM

  • Please log in to reply

#1
me4ever3131
Posted 22 January 2012 - 08:57 PM

me4ever3131

    Member

  • Member
  • PipPip
  • 37 posts
Hi - AVG 2012 has detected 2 Trojan horse viruses on my PC. One it deletes, the other it doesn't. When I rerun AVG the same results come up i.e. 2 Trojan horse viruses, one it deletes and the other it doesn't.

I then removed AVG & loaded AVAST antivirus & scanned using that to see if that would remove the Trojan horse. It ran & removed some suspicious files. Then I removed AVAST & put AVG back on, ran it & my 2 Trjan horses were back.

Can you help me to remove them please?

Their details are as follows - (the first is the Trojan horse that was deleted):
"Object name"; "C:\WINDOWS\system32\services.exe (1100)"
"Detection name"; "Trojan horse PSW.Generic9.RDX"
"Object type"; "process"
"SDK Type"; "Core"
"Result"; "Deleted"

"Object name"; "C:\WINDOWS\system32\services.exe (1100):\memory_009b0000"
"Detection name"; "Trojan horse PSW.Generic9.RDX"
"Object type"; "file"
"SDK Type"; "Core"
"Result"; "Infected"

thank you for taking the time to look at this.
  • 0

Advertisements

#2
maliprog
Posted 23 January 2012 - 01:01 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello me4ever3131 and welcome to my office here at G2G! :)

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Step 2

Download OTL to your Desktop

  • Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
    . Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 3

Please don't forget to include these items in your reply:

  • Combofix
  • OTL log
  • OTL Extras log
It would be helpful if you could post each log in separate post
  • 0

#3
me4ever3131
Posted 23 January 2012 - 02:44 AM

me4ever3131

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Thanks for replying so quickly maliprog.

I have printed out your instructions.

When I go to disble my AntiVirus & AntiSpyware software the longest time in their option box is 15 minutes. Do I only need to shut them down whilst running your diagnostic programs? Otherwise I can remove them via the control panel & reinstall them later. Also I have Zone Alarm as a firewall - do I need to do anything with that?

thanks.
  • 0

#4
maliprog
Posted 23 January 2012 - 02:47 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Can you please remove your Antivirus software. You don't have to remove AntiSpyware software for now.

If you use AVG please download AVG Remover and run it in order to remove AVG. After we finish cleaning of your system you can install AVG again.
  • 0

#5
me4ever3131
Posted 23 January 2012 - 03:53 AM

me4ever3131

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
I have removed AVG & run ComboFix as you described.

The disclaimer came up & then the next lot of dialog as per your description. This dialog ran quickly & then disappeared off the screen. In the meantime PC Tools Spyware doctor told me that suspicious activity was taking place & would reboot my PC - which it did.

When my PC rebooted I searched for ComboFix.txt but did not find anything. However a folder called ComboFix was directly under C:\ ie C:\ComboFix with 200 files & 1 folder called N_

Also at some stage I have lost my D: drive which was a partition on my C: drive - I'm not sure when this has happened.

I have not re-run ComboFix as per your instructions.

thanks
  • 0

#6
maliprog
Posted 23 January 2012 - 04:02 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
That means that Combofix didn't run. Probably malware was stopping him from doing his job.

Also at some stage I have lost my D: drive which was a partition on my C: drive - I'm not sure when this has happened.


This could be malware in action. Let's see these logs. Can you please backup your files before we continue. Maybe malware wouldn't like us to touch him and can cause damage. After backup please continue with steps.

Step 1

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" should be Cure
    • (If suspicious file is detected please click on it and change it to Skip).
  • Click Continue button
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
Step 2


Download aswMBR.exe ( 511KB ) to your desktop.


  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post aswMBR.txt in your next reply
  • Also, ZIP MBR.dat it creates and attach it to your next reply
Step 3


Please don't forget to include these items in your reply:

  • TDSSKiller log
  • aswMBR log
It would be helpful if you could post each log in separate post
  • 0

#7
me4ever3131
Posted 23 January 2012 - 04:12 AM

me4ever3131

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
I have started the back-ups, it could take some time.

When they finish I will continue as per your instructions.

thanks for your patience
  • 0

#8
maliprog
Posted 23 January 2012 - 04:14 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
OK. Backup is always good idea when bad infection is on board. When you finish post your logs...
  • 0

#9
me4ever3131
Posted 23 January 2012 - 07:36 AM

me4ever3131

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
OK - C & E drives backed up; D drive was backed up 23 days ago.

TDSKiller Log
______________________________________________________________________

00:06:46.0984 20328 TDSS rootkit removing tool 2.7.6.0 Jan 19 2012 13:09:04
00:06:48.0171 20328 ============================================================
00:06:48.0171 20328 Current date / time: 2012/01/24 00:06:48.0171
00:06:48.0171 20328 SystemInfo:
00:06:48.0171 20328
00:06:48.0171 20328 OS Version: 5.1.2600 ServicePack: 3.0
00:06:48.0171 20328 Product type: Workstation
00:06:48.0171 20328 ComputerName: HOMEPC
00:06:48.0171 20328 UserName: Trevor
00:06:48.0171 20328 Windows directory: C:\WINDOWS
00:06:48.0171 20328 System windows directory: C:\WINDOWS
00:06:48.0171 20328 Processor architecture: Intel x86
00:06:48.0171 20328 Number of processors: 2
00:06:48.0171 20328 Page size: 0x1000
00:06:48.0171 20328 Boot type: Normal boot
00:06:48.0171 20328 ============================================================
00:06:49.0328 20328 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
00:06:49.0343 20328 Drive \Device\Harddisk1\DR1 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
00:06:49.0421 20328 Drive \Device\Harddisk3\DR10 - Size: 0x1D1C1100000 (1863.02 Gb), SectorSize: 0x200, Cylinders: 0x3B601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
00:06:49.0500 20328 Initialize success
00:06:54.0171 18268 ============================================================
00:06:54.0171 18268 Scan started
00:06:54.0171 18268 Mode: Manual;
00:06:54.0171 18268 ============================================================
00:06:54.0843 18268 Abiosdsk - ok
00:06:54.0843 18268 abp480n5 - ok
00:06:54.0890 18268 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
00:06:54.0890 18268 ACPI - ok
00:06:54.0906 18268 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
00:06:54.0906 18268 ACPIEC - ok
00:06:54.0921 18268 adpu160m - ok
00:06:54.0937 18268 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
00:06:54.0937 18268 aec - ok
00:06:54.0968 18268 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
00:06:54.0968 18268 AFD - ok
00:06:54.0984 18268 Aha154x - ok
00:06:54.0984 18268 aic78u2 - ok
00:06:55.0000 18268 aic78xx - ok
00:06:55.0000 18268 AliIde - ok
00:06:55.0000 18268 amsint - ok
00:06:55.0046 18268 APL531 (1fc8a7e5c3aed31f00940c6ab2fd9b49) C:\WINDOWS\system32\Drivers\ov550i.sys
00:06:55.0062 18268 APL531 - ok
00:06:55.0062 18268 asc - ok
00:06:55.0062 18268 asc3350p - ok
00:06:55.0078 18268 asc3550 - ok
00:06:55.0093 18268 ASPI (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\System32\DRIVERS\ASPI32.sys
00:06:55.0109 18268 ASPI - ok
00:06:55.0125 18268 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
00:06:55.0140 18268 AsyncMac - ok
00:06:55.0156 18268 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
00:06:55.0156 18268 atapi - ok
00:06:55.0187 18268 AtcL002 (cba10ed5a5981fe6122b6e7460df939b) C:\WINDOWS\system32\DRIVERS\l251x86.sys
00:06:55.0187 18268 AtcL002 - ok
00:06:55.0187 18268 Atdisk - ok
00:06:55.0203 18268 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
00:06:55.0234 18268 Atmarpc - ok
00:06:55.0296 18268 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
00:06:55.0296 18268 audstub - ok
00:06:55.0312 18268 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
00:06:55.0312 18268 BANTExt - ok
00:06:55.0343 18268 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
00:06:55.0343 18268 Beep - ok
00:06:55.0390 18268 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
00:06:55.0390 18268 BrScnUsb - ok
00:06:55.0421 18268 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
00:06:55.0421 18268 cbidf2k - ok
00:06:55.0453 18268 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
00:06:55.0453 18268 CCDECODE - ok
00:06:55.0468 18268 cd20xrnt - ok
00:06:55.0484 18268 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
00:06:55.0484 18268 Cdaudio - ok
00:06:55.0515 18268 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
00:06:55.0515 18268 Cdfs - ok
00:06:55.0546 18268 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
00:06:55.0546 18268 Cdrom - ok
00:06:55.0546 18268 CmdIde - ok
00:06:55.0562 18268 Cpqarray - ok
00:06:55.0562 18268 dac2w2k - ok
00:06:55.0578 18268 dac960nt - ok
00:06:55.0578 18268 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
00:06:55.0578 18268 Disk - ok
00:06:55.0609 18268 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
00:06:55.0625 18268 dmboot - ok
00:06:55.0625 18268 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
00:06:55.0640 18268 dmio - ok
00:06:55.0640 18268 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
00:06:55.0640 18268 dmload - ok
00:06:55.0656 18268 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
00:06:55.0656 18268 DMusic - ok
00:06:55.0671 18268 dpti2o - ok
00:06:55.0687 18268 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
00:06:55.0687 18268 drmkaud - ok
00:06:55.0703 18268 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
00:06:55.0703 18268 Fastfat - ok
00:06:55.0734 18268 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
00:06:55.0734 18268 Fdc - ok
00:06:55.0734 18268 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
00:06:55.0734 18268 Fips - ok
00:06:55.0750 18268 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
00:06:55.0750 18268 Flpydisk - ok
00:06:55.0781 18268 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
00:06:55.0781 18268 FltMgr - ok
00:06:55.0796 18268 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
00:06:55.0796 18268 Fs_Rec - ok
00:06:55.0812 18268 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
00:06:55.0828 18268 Ftdisk - ok
00:06:55.0843 18268 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
00:06:55.0859 18268 GEARAspiWDM - ok
00:06:55.0890 18268 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
00:06:55.0890 18268 Gpc - ok
00:06:55.0937 18268 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
00:06:55.0937 18268 HDAudBus - ok
00:06:55.0953 18268 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
00:06:55.0953 18268 hidusb - ok
00:06:55.0968 18268 hpn - ok
00:06:56.0000 18268 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
00:06:56.0000 18268 HTTP - ok
00:06:56.0000 18268 i2omp - ok
00:06:56.0046 18268 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
00:06:56.0046 18268 i8042prt - ok
00:06:56.0062 18268 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
00:06:56.0062 18268 Imapi - ok
00:06:56.0078 18268 ini910u - ok
00:06:56.0078 18268 IntelIde - ok
00:06:56.0093 18268 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
00:06:56.0109 18268 intelppm - ok
00:06:56.0156 18268 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
00:06:56.0156 18268 ip6fw - ok
00:06:56.0187 18268 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
00:06:56.0187 18268 IpFilterDriver - ok
00:06:56.0218 18268 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
00:06:56.0218 18268 IpInIp - ok
00:06:56.0234 18268 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
00:06:56.0250 18268 IpNat - ok
00:06:56.0250 18268 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
00:06:56.0265 18268 IPSec - ok
00:06:56.0281 18268 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
00:06:56.0281 18268 IRENUM - ok
00:06:56.0296 18268 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
00:06:56.0296 18268 isapnp - ok
00:06:56.0359 18268 ISWKL (08a811bfd207dfdec588881c18bacbaa) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
00:06:56.0359 18268 ISWKL - ok
00:06:56.0437 18268 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
00:06:56.0437 18268 Kbdclass - ok
00:06:56.0453 18268 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
00:06:56.0453 18268 kmixer - ok
00:06:56.0500 18268 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
00:06:56.0500 18268 KSecDD - ok
00:06:56.0546 18268 MarvinBus (a3e700d78eec390f1208098cdca5c6b6) C:\WINDOWS\system32\DRIVERS\MarvinBus.sys
00:06:56.0546 18268 MarvinBus - ok
00:06:56.0578 18268 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
00:06:56.0578 18268 mnmdd - ok
00:06:56.0625 18268 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
00:06:56.0625 18268 Modem - ok
00:06:56.0671 18268 monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\monfilt.sys
00:06:56.0703 18268 monfilt - ok
00:06:56.0718 18268 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
00:06:56.0718 18268 Mouclass - ok
00:06:56.0750 18268 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
00:06:56.0796 18268 mouhid - ok
00:06:56.0812 18268 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
00:06:56.0828 18268 MountMgr - ok
00:06:56.0828 18268 mraid35x - ok
00:06:56.0843 18268 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
00:06:56.0843 18268 MRxDAV - ok
00:06:56.0875 18268 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
00:06:56.0875 18268 MRxSmb - ok
00:06:56.0890 18268 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
00:06:56.0890 18268 Msfs - ok
00:06:56.0921 18268 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
00:06:56.0921 18268 MSKSSRV - ok
00:06:56.0921 18268 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
00:06:56.0937 18268 MSPCLOCK - ok
00:06:56.0937 18268 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
00:06:56.0937 18268 MSPQM - ok
00:06:56.0968 18268 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
00:06:56.0968 18268 mssmbios - ok
00:06:57.0000 18268 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
00:06:57.0000 18268 MSTEE - ok
00:06:57.0031 18268 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
00:06:57.0031 18268 Mup - ok
00:06:57.0046 18268 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
00:06:57.0062 18268 NABTSFEC - ok
00:06:57.0078 18268 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
00:06:57.0093 18268 NDIS - ok
00:06:57.0125 18268 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
00:06:57.0125 18268 NdisIP - ok
00:06:57.0156 18268 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
00:06:57.0156 18268 NdisTapi - ok
00:06:57.0187 18268 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
00:06:57.0187 18268 Ndisuio - ok
00:06:57.0234 18268 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
00:06:57.0234 18268 NdisWan - ok
00:06:57.0250 18268 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
00:06:57.0265 18268 NDProxy - ok
00:06:57.0281 18268 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
00:06:57.0281 18268 NetBIOS - ok
00:06:57.0296 18268 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
00:06:57.0296 18268 NetBT - ok
00:06:57.0312 18268 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
00:06:57.0312 18268 Npfs - ok
00:06:57.0343 18268 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
00:06:57.0343 18268 Ntfs - ok
00:06:57.0375 18268 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
00:06:57.0375 18268 Null - ok
00:06:57.0625 18268 nv (8b2c874897ea498da012284e12f9db2b) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
00:06:57.0906 18268 nv - ok
00:06:57.0953 18268 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
00:06:57.0968 18268 NwlnkFlt - ok
00:06:57.0968 18268 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
00:06:57.0968 18268 NwlnkFwd - ok
00:06:58.0000 18268 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
00:06:58.0000 18268 Parport - ok
00:06:58.0046 18268 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
00:06:58.0046 18268 PartMgr - ok
00:06:58.0078 18268 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
00:06:58.0078 18268 ParVdm - ok
00:06:58.0078 18268 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
00:06:58.0078 18268 PCI - ok
00:06:58.0109 18268 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
00:06:58.0109 18268 PCIIde - ok
00:06:58.0125 18268 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
00:06:58.0125 18268 Pcmcia - ok
00:06:58.0171 18268 PCTBD (3a0262b85b5bb4d4cfc096ea00ed610b) C:\WINDOWS\system32\Drivers\PCTBD.sys
00:06:58.0171 18268 PCTBD - ok
00:06:58.0203 18268 PCTCore (0edb74bd0d52d6d94cf862322e48b94e) C:\WINDOWS\system32\drivers\PCTCore.sys
00:06:58.0203 18268 PCTCore - ok
00:06:58.0218 18268 pctDS (af08ec0f2093867ab955e24121ee7002) C:\WINDOWS\system32\drivers\pctDS.sys
00:06:58.0218 18268 pctDS - ok
00:06:58.0250 18268 pctEFA (4b1b0cd45a047c0941f6b6151f6fb3c1) C:\WINDOWS\system32\drivers\pctEFA.sys
00:06:58.0265 18268 pctEFA - ok
00:06:58.0281 18268 pctgntdi (44fd6a1042c766df69bc6ba55780019d) C:\WINDOWS\system32\drivers\pctgntdi.sys
00:06:58.0296 18268 pctgntdi - ok
00:06:58.0312 18268 pctplsg (b5d22f79943e156bf8fabf1e4888820c) C:\WINDOWS\system32\drivers\pctplsg.sys
00:06:58.0312 18268 pctplsg - ok
00:06:58.0343 18268 PCTSD (86b9af53e46d0618d230608aed82622f) C:\WINDOWS\system32\Drivers\PCTSD.sys
00:06:58.0343 18268 PCTSD - ok
00:06:58.0375 18268 PenClass (4a108cc9cc0e0605e68cce7021479879) C:\WINDOWS\system32\Drivers\PenClass.sys
00:06:58.0375 18268 PenClass - ok
00:06:58.0375 18268 perc2 - ok
00:06:58.0375 18268 perc2hib - ok
00:06:58.0421 18268 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
00:06:58.0421 18268 PptpMiniport - ok
00:06:58.0437 18268 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
00:06:58.0437 18268 Processor - ok
00:06:58.0453 18268 PROCEXP113 - ok
00:06:58.0453 18268 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
00:06:58.0453 18268 PSched - ok
00:06:58.0468 18268 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
00:06:58.0468 18268 Ptilink - ok
00:06:58.0500 18268 pxscan (a5b3922b9f821fc8ff2821423e40026c) C:\WINDOWS\system32\drivers\pxscan.sys
00:06:58.0500 18268 pxscan - ok
00:06:58.0515 18268 pxsec (6613bbed3b306aee00d8a7b8d4cad5cd) C:\WINDOWS\system32\drivers\pxsec.sys
00:06:58.0515 18268 pxsec - ok
00:06:58.0531 18268 ql1080 - ok
00:06:58.0531 18268 Ql10wnt - ok
00:06:58.0531 18268 ql12160 - ok
00:06:58.0546 18268 ql1240 - ok
00:06:58.0546 18268 ql1280 - ok
00:06:58.0578 18268 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
00:06:58.0578 18268 RasAcd - ok
00:06:58.0609 18268 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
00:06:58.0609 18268 Rasl2tp - ok
00:06:58.0625 18268 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
00:06:58.0625 18268 RasPppoe - ok
00:06:58.0625 18268 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
00:06:58.0625 18268 Raspti - ok
00:06:58.0640 18268 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
00:06:58.0656 18268 Rdbss - ok
00:06:58.0671 18268 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
00:06:58.0671 18268 RDPCDD - ok
00:06:58.0687 18268 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
00:06:58.0687 18268 rdpdr - ok
00:06:58.0734 18268 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
00:06:58.0734 18268 RDPWD - ok
00:06:58.0750 18268 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
00:06:58.0750 18268 redbook - ok
00:06:58.0781 18268 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
00:06:58.0781 18268 Secdrv - ok
00:06:58.0812 18268 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
00:06:58.0812 18268 serenum - ok
00:06:58.0812 18268 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
00:06:58.0828 18268 Serial - ok
00:06:58.0828 18268 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
00:06:58.0828 18268 Sfloppy - ok
00:06:58.0843 18268 Simbad - ok
00:06:58.0875 18268 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
00:06:58.0875 18268 SLIP - ok
00:06:58.0875 18268 Sparrow - ok
00:06:58.0890 18268 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
00:06:58.0906 18268 splitter - ok
00:06:58.0921 18268 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
00:06:58.0921 18268 sr - ok
00:06:58.0968 18268 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
00:06:58.0968 18268 Srv - ok
00:06:59.0000 18268 stdriver (8bb19094def583e0eece1830457444ee) C:\WINDOWS\system32\DRIVERS\stdriver32.sys
00:06:59.0015 18268 stdriver - ok
00:06:59.0046 18268 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
00:06:59.0046 18268 streamip - ok
00:06:59.0062 18268 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
00:06:59.0062 18268 swenum - ok
00:06:59.0078 18268 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
00:06:59.0078 18268 swmidi - ok
00:06:59.0093 18268 symc810 - ok
00:06:59.0093 18268 symc8xx - ok
00:06:59.0203 18268 symsnap (c9273531eac75ee225e3170fb6107fa3) C:\WINDOWS\system32\DRIVERS\symsnap.sys
00:06:59.0203 18268 symsnap - ok
00:06:59.0218 18268 sym_hi - ok
00:06:59.0218 18268 sym_u3 - ok
00:06:59.0250 18268 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
00:06:59.0250 18268 sysaudio - ok
00:06:59.0296 18268 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
00:06:59.0296 18268 Tcpip - ok
00:06:59.0312 18268 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
00:06:59.0312 18268 TDPIPE - ok
00:06:59.0328 18268 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
00:06:59.0328 18268 TDTCP - ok
00:06:59.0343 18268 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
00:06:59.0343 18268 TermDD - ok
00:06:59.0375 18268 TfFsMon (754f8fd78ea7fa2b9a0cb8a69e0f0822) C:\WINDOWS\system32\drivers\TfFsMon.sys
00:06:59.0375 18268 TfFsMon - ok
00:06:59.0390 18268 TfNetMon (697f66899b4f0c2d8ae3e7473b4b6244) C:\WINDOWS\system32\drivers\TfNetMon.sys
00:06:59.0390 18268 TfNetMon - ok
00:06:59.0406 18268 TFSysMon (e02f47b841be86bfdf4d7269ed0b95e4) C:\WINDOWS\system32\drivers\TfSysMon.sys
00:06:59.0421 18268 TFSysMon - ok
00:06:59.0421 18268 TosIde - ok
00:06:59.0437 18268 tup4ho.sys - ok
00:06:59.0468 18268 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
00:06:59.0468 18268 Udfs - ok
00:06:59.0468 18268 ultra - ok
00:06:59.0500 18268 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
00:06:59.0500 18268 Update - ok
00:06:59.0531 18268 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
00:06:59.0531 18268 USBAAPL - ok
00:06:59.0562 18268 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
00:06:59.0578 18268 usbaudio - ok
00:06:59.0609 18268 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
00:06:59.0609 18268 usbccgp - ok
00:06:59.0625 18268 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
00:06:59.0625 18268 usbehci - ok
00:06:59.0656 18268 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
00:06:59.0656 18268 usbhub - ok
00:06:59.0687 18268 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
00:06:59.0687 18268 usbprint - ok
00:06:59.0718 18268 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
00:06:59.0718 18268 usbscan - ok
00:06:59.0750 18268 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
00:06:59.0750 18268 USBSTOR - ok
00:06:59.0750 18268 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
00:06:59.0750 18268 usbuhci - ok
00:06:59.0781 18268 v2imount (b4d63048d6358e7c6ab61b98b8cff263) C:\WINDOWS\system32\DRIVERS\v2imount.sys
00:06:59.0781 18268 v2imount - ok
00:06:59.0796 18268 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
00:06:59.0796 18268 VgaSave - ok
00:06:59.0843 18268 VIAHdAudAddService (242a8309b952f7ca9e220d3439955b0e) C:\WINDOWS\system32\drivers\viahduaa.sys
00:06:59.0859 18268 VIAHdAudAddService - ok
00:06:59.0859 18268 ViaIde - ok
00:06:59.0906 18268 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
00:06:59.0906 18268 VolSnap - ok
00:06:59.0937 18268 VProEventMonitor (e78781b2c86c92a0a738df566460f716) C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys
00:06:59.0937 18268 VProEventMonitor - ok
00:06:59.0968 18268 Vsdatant (558cee3d9c470651f1843d51b42d761b) C:\WINDOWS\system32\vsdatant.sys
00:06:59.0984 18268 Vsdatant - ok
00:07:00.0031 18268 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
00:07:00.0031 18268 Wanarp - ok
00:07:00.0046 18268 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
00:07:00.0046 18268 wdmaud - ok
00:07:00.0078 18268 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
00:07:00.0093 18268 WimFltr - ok
00:07:00.0109 18268 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
00:07:00.0109 18268 WpdUsb - ok
00:07:00.0140 18268 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
00:07:00.0140 18268 WS2IFSL - ok
00:07:00.0171 18268 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
00:07:00.0171 18268 WSTCODEC - ok
00:07:00.0203 18268 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
00:07:00.0203 18268 WudfPf - ok
00:07:00.0218 18268 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
00:07:00.0218 18268 WudfRd - ok
00:07:00.0234 18268 xcpip - ok
00:07:00.0234 18268 xpsec - ok
00:07:00.0250 18268 MBR (0x1B8) (22f7ef84756c469b20b09cb1402e469a) \Device\Harddisk0\DR0
00:07:02.0109 18268 \Device\Harddisk0\DR0 - ok
00:07:02.0125 18268 MBR (0x1B8) (f381baacfc1778337c007982b0c32d82) \Device\Harddisk1\DR1
00:07:02.0125 18268 \Device\Harddisk1\DR1 ( Backdoor.Win32.Sinowal.knf ) - infected
00:07:02.0125 18268 \Device\Harddisk1\DR1 - detected Backdoor.Win32.Sinowal.knf (0)
00:07:02.0125 18268 MBR (0x1B8) (180dbde3af7ea48b3db3ac27b1ddf401) \Device\Harddisk3\DR10
00:07:02.0328 18268 \Device\Harddisk3\DR10 - ok
00:07:02.0328 18268 Boot (0x1200) (e474d10dc4c78b9f6ccd00f951600c7f) \Device\Harddisk1\DR1\Partition0
00:07:02.0328 18268 \Device\Harddisk1\DR1\Partition0 - ok
00:07:02.0343 18268 Boot (0x1200) (34f30af4d92fa04fe57fc214ef9a0498) \Device\Harddisk1\DR1\Partition1
00:07:02.0343 18268 \Device\Harddisk1\DR1\Partition1 - ok
00:07:02.0343 18268 Boot (0x1200) (b65039cba07c04091189c21a787439cc) \Device\Harddisk3\DR10\Partition0
00:07:02.0343 18268 \Device\Harddisk3\DR10\Partition0 - ok
00:07:02.0343 18268 ============================================================
00:07:02.0343 18268 Scan finished
00:07:02.0343 18268 ============================================================
00:07:02.0343 16748 Detected object count: 1
00:07:02.0343 16748 Actual detected object count: 1
00:07:39.0281 16748 \Device\Harddisk1\DR1 ( Backdoor.Win32.Sinowal.knf ) - will be cured on reboot
00:07:39.0328 16748 \Device\Harddisk1\DR1 - ok
00:07:39.0328 16748 \Device\Harddisk1\DR1 ( Backdoor.Win32.Sinowal.knf ) - User select action: Cure
00:08:01.0796 19260 Deinitialize success

________________________________________________________________________________________________________

MBR.dat => not too sure about MBR.dat as it is only 1Kb but I'll attach it anyway.

aswMBR Log => as requested I'll send another post with this in the body.

Attached Files

  • Attached File  Mbr.zip   510bytes   130 downloads

  • 0

#10
me4ever3131
Posted 23 January 2012 - 07:42 AM

me4ever3131

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
This is the aswMBR Log

_________________________________________________

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-24 00:17:28
-----------------------------
00:17:28.812 OS Version: Windows 5.1.2600 Service Pack 3
00:17:28.812 Number of processors: 2 586 0x170A
00:17:28.812 ComputerName: HOMEPC UserName: Trevor
00:17:33.625 Initialize success
00:18:18.375 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
00:18:18.375 Disk 0 Vendor: ST3160815A 3.AAD Size: 152627MB BusType: 3
00:18:18.375 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-17
00:18:18.375 Disk 1 Vendor: ST3250318AS CC37 Size: 238475MB BusType: 3
00:18:18.390 Disk 1 MBR read successfully
00:18:18.390 Disk 1 MBR scan
00:18:18.390 Disk 1 Windows XP default MBR code
00:18:18.390 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 80003 MB offset 63
00:18:18.406 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 158469 MB offset 163846935
00:18:18.406 Disk 1 scanning sectors +488392065
00:18:18.468 Disk 1 scanning C:\WINDOWS\system32\drivers
00:18:25.265 Service scanning
00:18:27.000 Modules scanning
00:18:31.421 Disk 1 trace - called modules:
00:18:31.468 ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
00:18:31.468 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8aa67ab8]
00:18:31.468 3 CLASSPNP.SYS[f7647fd7] -> nt!IofCallDriver -> [0x8ab0d960]
00:18:31.468 5 PCTCore.sys[f7428407] -> nt!IofCallDriver -> \Device\00000074[0x8ab019e8]
00:18:31.468 7 ACPI.sys[f758e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-17[0x8ab0c940]
00:18:31.468 Scan finished successfully
00:18:50.984 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Trevor\Desktop\MBR.dat"
00:18:50.984 The log file has been saved successfully to "C:\Documents and Settings\Trevor\Desktop\aswMBR.txt"

_______________________________________________________________________________________________________

thanks - Trev
  • 0

Advertisements

#11
maliprog
Posted 23 January 2012 - 07:53 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
TDSSKiller removed main infection. Please delete Combofix and download new one as you did last time. Run scan as instructed and, hopefully, post log after the scan.

P.S.
Any sign of D drive now?
  • 0

#12
me4ever3131
Posted 23 January 2012 - 08:24 AM

me4ever3131

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Deleted ComboFix as instructed & reran it.

PC Tools Spyware Doctor came up with a message re suspicious activity - I've attached a screen shot.

I've also attached a screen capture of the Autoscan results - which failed

Should I delete ComboFix, reload & run & this time when Spyware Doctor asks to quarrantine anything click on "allow" instead of "quarrantine"?PC Tools Suspicous activity.jpg

Attached Thumbnails

  • Autoscan.jpg

  • 0

#13
me4ever3131
Posted 23 January 2012 - 08:28 AM

me4ever3131

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
forgot to add in that the D drive still hasn't reappeared.


(I'll be signing off for the night - thanks)
  • 0

#14
maliprog
Posted 24 January 2012 - 12:12 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi me4ever3131,

Thank you for screenshots. Please disable PC Tools now or uninstall it for little while. After that run Combofix. It should work now.
  • 0

#15
me4ever3131
Posted 24 January 2012 - 02:44 AM

me4ever3131

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi maliprog

Things seemed to be a bit more successful this time:
the Combofix log

_______________________________________________________________________________

ComboFix 12-01-23.02 - Trevor 24/01/2012 18:58:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1209 [GMT 11:00]
Running from: C:\Documents and Settings\Trevor\Desktop\ComboFix.exe
FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

/wow section - STAGE 6A
The system cannot execute the specified program.
The system cannot execute the specified program.

/wow section not completed

((((((((((((((((((((((((( Files Created from 2011-12-24 to 2012-01-24 )))))))))))))))))))))))))))))))


2012-01-22 22:47:39 . 2012-01-22 22:47:39 -------- d--h--w- C:\WINDOWS\PIF
2012-01-21 23:26:29 . 2012-01-21 23:26:29 -------- d-----w- C:\Documents and Settings\All Users\Application Data\AVG Secure Search
2012-01-21 23:26:05 . 2012-01-21 23:26:05 -------- d-----w- C:\Documents and Settings\Trevor\Application Data\AVG Secure Search
2012-01-21 23:26:02 . 2012-01-23 09:15:05 -------- d-----w- C:\Program Files\AVG Secure Search
2012-01-21 23:20:06 . 2012-01-21 23:20:06 -------- d-----w- C:\Documents and Settings\Trevor\Application Data\AVG2012
2012-01-21 22:46:44 . 2012-01-21 22:46:44 -------- d-----w- C:\Program Files\Common Files\AVG Secure Search
2012-01-16 06:29:44 . 2011-09-28 02:14:02 56840 ----a-w- C:\WINDOWS\system32\drivers\PCTBD.sys
2012-01-16 06:29:12 . 2011-11-22 08:42:40 185560 ----a-w- C:\WINDOWS\system32\drivers\PCTSD.sys
2012-01-16 06:29:12 . 2011-11-22 08:41:28 17848 ----a-w- C:\WINDOWS\system32\drivers\pctBTFix.sys
2012-01-16 06:27:22 . 2012-01-16 06:27:22 -------- d-----w- C:\Documents and Settings\Trevor\Application Data\TestApp
2012-01-15 22:23:32 . 2012-01-15 22:23:32 -------- d-----w- C:\Documents and Settings\Trevor\Local Settings\Application Data\Threat Expert
2012-01-12 14:04:13 . 2012-01-12 14:04:13 -------- d-----w- C:\Documents and Settings\Trevor\Application Data\PCTools
2012-01-12 12:52:02 . 2012-01-21 23:03:38 -------- d-----w- C:\Documents and Settings\All Users\Application Data\AVAST Software
2012-01-12 12:52:02 . 2012-01-13 03:18:53 -------- d-----w- C:\Program Files\AVAST Software
2012-01-12 10:45:16 . 2011-11-22 07:20:06 574424 --s---w- C:\WINDOWS\system32\drivers\TfSysMon.sys
2012-01-12 10:45:15 . 2011-11-22 07:20:06 35264 --s---w- C:\WINDOWS\system32\drivers\TfNetMon.sys
2012-01-12 10:45:15 . 2011-11-22 07:20:04 54328 --s---w- C:\WINDOWS\system32\drivers\TfFsMon.sys
2012-01-12 10:31:05 . 2011-11-14 05:07:06 149456 ----a-w- C:\WINDOWS\SGDetectionTool.dll
2012-01-12 10:31:05 . 2011-11-14 05:07:04 2246608 ----a-w- C:\WINDOWS\PCTBDCore.dll
2012-01-12 10:31:05 . 2011-11-14 05:07:04 1681360 ----a-w- C:\WINDOWS\PCTBDRes.dll
2012-01-12 10:31:05 . 2011-11-14 05:06:54 767952 ----a-w- C:\WINDOWS\BDTSupport.dll
2012-01-12 10:22:12 . 2012-01-16 06:54:42 341656 ----a-w- C:\WINDOWS\system32\drivers\pctDS.sys
2012-01-12 10:22:12 . 2011-10-07 06:52:12 660992 ----a-w- C:\WINDOWS\system32\drivers\pctEFA.sys
2012-01-12 10:22:11 . 2011-11-22 08:38:04 253096 ----a-w- C:\WINDOWS\system32\drivers\pctgntdi.sys
2012-01-12 10:22:08 . 2011-11-14 04:12:26 331880 ----a-w- C:\WINDOWS\system32\drivers\PCTCore.sys
2012-01-12 10:22:08 . 2011-11-14 04:12:24 162584 ----a-w- C:\WINDOWS\system32\drivers\PCTAppEvent.sys
2012-01-12 10:22:02 . 2011-11-22 08:43:02 70536 ----a-w- C:\WINDOWS\system32\drivers\pctplsg.sys
2012-01-12 10:21:58 . 2012-01-24 07:46:06 -------- d-----w- C:\Program Files\PC Tools Security
2012-01-12 10:21:58 . 2012-01-12 10:23:55 -------- d-----w- C:\Program Files\Common Files\PC Tools
2012-01-12 10:21:58 . 2012-01-12 10:21:58 -------- d-----w- C:\Documents and Settings\Trevor\Application Data\PC Tools
2012-01-12 10:19:50 . 2012-01-12 10:45:16 -------- d-----w- C:\Documents and Settings\All Users\Application Data\PC Tools
2012-01-02 21:22:02 . 2012-01-02 21:22:02 103864 ----a-w- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-02 21:22:02 . 2012-01-02 21:22:02 103864 ----a-w- C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
2012-01-02 05:25:59 . 2012-01-02 05:25:59 626688 ----a-w- C:\Program Files\Mozilla Firefox\msvcr80.dll
2012-01-02 05:25:59 . 2012-01-02 05:25:59 548864 ----a-w- C:\Program Files\Mozilla Firefox\msvcp80.dll
2012-01-02 05:25:59 . 2012-01-02 05:25:59 479232 ----a-w- C:\Program Files\Mozilla Firefox\msvcm80.dll
2012-01-02 05:25:59 . 2012-01-02 05:25:59 43992 ----a-w- C:\Program Files\Mozilla Firefox\mozutils.dll
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2012-01-24 08:06:55 . 2009-11-17 05:01:21 27656 -c--a-w- C:\WINDOWS\system32\drivers\pxsec.sys
2012-01-24 08:06:55 . 2009-11-17 05:01:21 22024 -c--a-w- C:\WINDOWS\system32\drivers\pxscan.sys
2012-01-23 03:45:31 . 2009-11-16 18:14:25 81920 ----a-w- C:\WINDOWS\DUMP79f2.tmp
2012-01-08 12:33:14 . 2011-05-25 23:34:41 414368 -c--a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57:19 . 2002-08-28 17:41:18 293376 ----a-w- C:\WINDOWS\system32\winsrv.dll
2011-11-23 13:25:32 . 2002-08-28 16:14:20 1859584 ----a-w- C:\WINDOWS\system32\win32k.sys
2011-11-18 12:35:08 . 2002-08-28 17:41:28 60416 ----a-w- C:\WINDOWS\system32\packager.exe
2011-11-04 19:20:51 . 2002-08-28 17:41:28 1469440 ------w- C:\WINDOWS\system32\inetcpl.cpl
2011-11-04 19:20:51 . 2002-08-28 17:41:18 916992 ----a-w- C:\WINDOWS\system32\wininet.dll
2011-11-04 19:20:51 . 2002-08-28 17:41:00 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
2011-11-04 11:23:59 . 2009-11-16 23:48:04 385024 ----a-w- C:\WINDOWS\system32\html.iec
2011-11-03 15:28:36 . 2002-08-28 17:41:10 386048 ----a-w- C:\WINDOWS\system32\qdvd.dll
2011-11-03 15:28:36 . 2002-08-28 17:41:10 1292288 ----a-w- C:\WINDOWS\system32\quartz.dll
2011-11-01 16:07:10 . 2002-08-28 17:41:10 1288704 ----a-w- C:\WINDOWS\system32\ole32.dll
2011-10-28 05:31:48 . 2002-08-28 17:40:50 33280 ----a-w- C:\WINDOWS\system32\csrsrv.dll
2011-06-08 02:46:19 . 2011-06-08 02:44:44 99991640 -c--a-w- C:\Program Files\CyberLink.v1730_36089_Spr_PTD110506-02.exe
1998-10-07 04:58:22 . 2011-11-13 09:56:56 943949 ----a-w- C:\Program Files\winzip70.exe
2012-01-02 05:25:58 . 2011-03-24 23:41:44 121816 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48}"= "C:\Program Files\Celebrity Toolbar\tbhelper.dll" [2009-05-07 21:43:00 355840]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "C:\Program Files\DVDVideoSoftTB\prxtbDVD0.dll" [2011-01-17 14:54:02 175912]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "C:\Program Files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 09:49:38 176936]

[HKEY_CLASSES_ROOT\clsid\{1c4ab6a5-595f-4e86-b15f-f93cce2bbd48}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{1EA6B471-CAD2-419a-9539-0586EEFE2D09}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
2009-05-07 21:46:54 2642432 -c--a-w- C:\Program Files\Celebrity Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
2011-01-17 14:54:02 175912 -c--a-w- C:\Program Files\DVDVideoSoftTB\prxtbDVD0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2011-05-09 09:49:38 176936 ----a-w- C:\Program Files\ZoneAlarm_Security\prxtbZone.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-01-21 23:26:02 1574240 ----a-w- C:\Program Files\AVG Secure Search\9.0.0.23\AVG Secure Search_toolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-07-29 11:05:36 1515688 ----a-w- C:\Program Files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "C:\Program Files\DVDVideoSoftTB\prxtbDVD0.dll" [2011-01-17 14:54:02 175912]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "C:\Program Files\Ask.com\GenericAskToolbar.dll" [2011-07-29 11:05:36 1515688]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "C:\Program Files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 09:49:38 176936]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "C:\Program Files\AVG Secure Search\9.0.0.23\AVG Secure Search_toolbar.dll" [2012-01-21 23:26:02 1574240]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "C:\Program Files\Celebrity Toolbar\tbcore3.dll" [2009-05-07 21:46:54 2642432]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]

[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "C:\Program Files\Celebrity Toolbar\tbcore3.dll" [2009-05-07 21:46:54 2642432]
"{872B5B88-9DB5-4310-BDD0-AC189557E5F5}"= "C:\Program Files\DVDVideoSoftTB\prxtbDVD0.dll" [2011-01-17 14:54:02 175912]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "C:\Program Files\Ask.com\GenericAskToolbar.dll" [2011-07-29 11:05:36 1515688]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "C:\Program Files\ZoneAlarm_Security\prxtbZone.dll" [2011-05-09 09:49:38 176936]

[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USBToolTip"="C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 00:07:40 199752]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2010-11-29 06:38:18 421888]
"Norton Ghost 14.0"="C:\Program Files\Norton Ghost\Agent\VProTray.exe" [2008-01-19 09:01:08 2245984]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2011-06-07 07:51:12 421160]
"PMBVolumeWatcher"="C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe" [2010-11-26 14:55:42 648032]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2011-05-20 20:01:00 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-20 20:01:00 111208]
"nwiz"="C:\Program Files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 14:02:42 1632360]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2008-12-23 23:26:54 114688]
"BrStsMon00"="C:\Program Files\Browny02\Brother\BrStMonW.exe" [2010-02-09 05:43:16 2621440]
"ApnUpdater"="C:\Program Files\Ask.com\Updater\Updater.exe" [2011-07-29 11:05:42 887976]
"ISW"="C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 14:44:24 738944]
"ZoneAlarm"="C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-09 09:01:38 73360]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 11:51:18 37296]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-01 23:07:56 843712]
"ISTray"="C:\Program Files\PC Tools Security\pctsGui.exe" [2011-11-22 08:41:50 2659256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 00:12:16 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
MBCameraMonitor.lnk - C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2009-11-17 541976]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2010-9-21 114688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
MBCameraMonitor.lnk - C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2009-11-17 541976]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled\AutorunsDisabled
adobe reader speed launch.lnk.disabled [2008-9-2 1767]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

________________________________________________________________________________________
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP