View Full Version : firefox redirects to clickahead.org
have used spybot and malware malbytes says finds nothing, browser stalls and redirects.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by kevin at 15:06:17 on 2011-10-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2487 [GMT -7:00]
.
FW: Trend Micro Firewall Booster *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uWindow Title = Windows Internet Explorer provided by Yahoo!
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\kevin\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{305F256C-2C4F-4639-85EA-B71F646DB870} : DhcpNameServer = 68.238.64.12 68.238.128.12
TCP: Interfaces\{5AD5B291-4363-4950-BF2F-B5A07F4ECC49} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{A242FA79-DFB4-40D6-89C9-6BDB8210B01A} : DhcpNameServer = 68.238.64.12 68.238.128.12
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kevin\application data\mozilla\firefox\profiles\tn89b1he.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\kevin\application data\mozilla\firefox\profiles\tn89b1he.default\extensions\{4d144bc3-23fb-47de-90c5-63ccb0139ccf}\plugins\npww.dll
FF - plugin: c:\documents and settings\kevin\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\kevin\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: TradeManager-Plugin: {4D144BC3-23FB-47de-90C5-63CCB0139CCF} - %profile%\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Redirect Remover: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9} - %profile%\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [2006-5-10 22842]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-6 366152]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2009-12-21 194304]
.
=============== Created Last 30 ================
.
2011-10-07 21:31:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-06 18:19:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-06 18:00:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-06 17:53:59 -------- d-sh--w- c:\documents and settings\kevin\IECompatCache
.
==================== Find3M ====================
.
.
============= FINISH: 15:06:52.34 ===============
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
All logs and reports will open in Notepad, just copy and paste them into this thread in lew of attaching them, its easier for us to analyse.
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1 (http://jpshortstuff.247fixes.com/GooredFix.exe)
Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe)
Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
Post all the logs I need, if you need more than one reply to post them all than thats ok
1. Goodfix log
2. aswMBR log
3. OTL log
looks like conficker
GooredFix by jpshortstuff (03.07.10.1)
Log created at 21:20 on 09/10/2011 (kevin)
Firefox version 3.6.13 (en-US)
========== GooredScan ==========
========== GooredLog ==========
C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:24 30/12/2010]
C:\Documents and Settings\kevin\Application Data\Mozilla\Firefox\Profiles\tn89b1he.default\extensions\
{4D144BC3-23FB-47de-90C5-63CCB0139CCF} [04:22 29/11/2010]
{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [18:06 06/10/2011]
{fe0258ab-4f74-43a1-8781-bcdf340f9ee9} [21:29 07/10/2011]
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [00:21 21/11/2010]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [18:15 19/11/2010]
-=E.O.F=-
------------------------------------
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-09 21:22:05
-----------------------------
21:22:05.015 OS Version: Windows 5.1.2600 Service Pack 3
21:22:05.015 Number of processors: 2 586 0xF02
21:22:05.015 ComputerName: ACER UserName:
21:22:05.453 Initialize success
21:26:36.250 AVAST engine defs: 11100901
21:27:04.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
21:27:04.875 Disk 0 Vendor: WDC_WD3000HLFS-01G6U1 04.04V02 Size: 286168MB BusType: 3
21:27:06.890 Disk 0 MBR read successfully
21:27:06.890 Disk 0 MBR scan
21:27:06.921 Disk 0 Windows XP default MBR code
21:27:06.921 Disk 0 scanning sectors +586051200
21:27:06.953 Disk 0 scanning C:\WINDOWS\system32\drivers
21:27:14.015 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
21:27:14.250 Service scanning
21:27:14.609 Service VolSnap C:\WINDOWS\System32\Drivers\VolSnap.sys **LOCKED** 32
21:27:15.125 Modules scanning
21:27:15.437 Module: C:\WINDOWS\System32\Drivers\VolSnap.sys **SUSPICIOUS**
21:27:36.875 Disk 0 trace - called modules:
21:27:36.890 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8aa241ed]<<
21:27:36.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aab7ab8]
21:27:36.890 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000005a[0x8aab9968]
21:27:36.890 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x8aa79d98]
21:27:36.890 \Driver\atapi[0x8ab122a8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8aa241ed
21:27:37.484 AVAST engine scan C:\WINDOWS
21:27:45.093 AVAST engine scan C:\WINDOWS\system32
21:29:03.328 AVAST engine scan C:\WINDOWS\system32\drivers
21:29:12.531 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
21:29:18.078 AVAST engine scan C:\Documents and Settings\kevin
21:32:15.000 AVAST engine scan C:\Documents and Settings\All Users
21:32:55.109 Scan finished successfully
21:33:41.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\kevin\Desktop\MBR.dat"
21:33:41.156 The log file has been saved successfully to "C:\Documents and Settings\kevin\Desktop\aswMBR.txt"
Good Morning,
Any scans we run, the logs will open in Notepad, just copy and paste the logs or reports into this thread in lew of attaching them, its easier for us to analyse.
Your hard disk controller is infected
Re-Run aswMBR
Click Scan
On completion of the scan
Click Fix
http://public.avast.com/~gmerek/aswMBR3.png
Save the log as before and post in your next reply
ran avast and aswr
ran at boot time also.
GooredFix by jpshortstuff (03.07.10.1)
Log created at 14:16 on 10/10/2011 (kevin)
Firefox version 3.6.13 (en-US)
========== GooredScan ==========
========== GooredLog ==========
C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:24 30/12/2010]
C:\Documents and Settings\kevin\Application Data\Mozilla\Firefox\Profiles\tn89b1he.default\extensions\
{4D144BC3-23FB-47de-90C5-63CCB0139CCF} [04:22 29/11/2010]
{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [18:06 06/10/2011]
{fe0258ab-4f74-43a1-8781-bcdf340f9ee9} [21:29 07/10/2011]
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [00:21 21/11/2010]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [05:05 10/10/2011]
---------- Old Logs ----------
GooredFix[04.20.35_10-10-2011].txt
-=E.O.F=-
All logs and reports will open in Notepad, just copy and paste them into this thread in lew of attaching them, its easier for us to analyse.
The aswMBR log you posted was the same original log that we ran , I needed to see a new one, open aswMBR and just do a scan and post the new log,
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-09 21:22:05
-----------------------------
21:22:05.015 OS Version: Windows 5.1.2600 Service Pack 3
21:22:05.015 Number of processors: 2 586 0xF02
21:22:05.015 ComputerName: ACER UserName:
21:22:05.453 Initialize success
21:26:36.250 AVAST engine defs: 11100901
21:27:04.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
21:27:04.875 Disk 0 Vendor: WDC_WD3000HLFS-01G6U1 04.04V02 Size: 286168MB BusType: 3
21:27:06.890 Disk 0 MBR read successfully
21:27:06.890 Disk 0 MBR scan
21:27:06.921 Disk 0 Windows XP default MBR code
21:27:06.921 Disk 0 scanning sectors +586051200
21:27:06.953 Disk 0 scanning C:\WINDOWS\system32\drivers
21:27:14.015 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
21:27:14.250 Service scanning
21:27:14.609 Service VolSnap C:\WINDOWS\System32\Drivers\VolSnap.sys **LOCKED** 32
21:27:15.125 Modules scanning
21:27:15.437 Module: C:\WINDOWS\System32\Drivers\VolSnap.sys **SUSPICIOUS**
21:27:36.875 Disk 0 trace - called modules:
21:27:36.890 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8aa241ed]<<
21:27:36.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aab7ab8]
21:27:36.890 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000005a[0x8aab9968]
21:27:36.890 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x8aa79d98]
21:27:36.890 \Driver\atapi[0x8ab122a8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8aa241ed
21:27:37.484 AVAST engine scan C:\WINDOWS
21:27:45.093 AVAST engine scan C:\WINDOWS\system32
21:29:03.328 AVAST engine scan C:\WINDOWS\system32\drivers
21:29:12.531 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
21:29:18.078 AVAST engine scan C:\Documents and Settings\kevin
21:32:15.000 AVAST engine scan C:\Documents and Settings\All Users
21:32:55.109 Scan finished successfully
21:33:41.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\kevin\Desktop\MBR.dat"
21:33:41.156 The log file has been saved successfully to "C:\Documents and Settings\kevin\Desktop\aswMBR.txt"
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-10 14:06:17
-----------------------------
14:06:17.625 OS Version: Windows 5.1.2600 Service Pack 3
14:06:17.640 Number of processors: 2 586 0xF02
14:06:17.640 ComputerName: ACER UserName:
14:06:18.390 Initialize success
14:06:18.500 AVAST engine defs: 11101001
14:06:22.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
14:06:22.312 Disk 0 Vendor: WDC_WD3000HLFS-01G6U1 04.04V02 Size: 286168MB BusType: 3
14:06:24.312 Disk 0 MBR read successfully
14:06:24.312 Disk 0 MBR scan
14:06:24.312 Disk 0 Windows XP default MBR code
14:06:24.328 Disk 0 scanning sectors +586051200
14:06:24.343 Disk 0 scanning C:\WINDOWS\system32\drivers
14:06:30.484 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
14:06:30.640 Service scanning
14:06:30.984 Service VolSnap C:\WINDOWS\System32\Drivers\VolSnap.sys **LOCKED** 32
14:06:31.500 Modules scanning
14:06:31.859 Module: C:\WINDOWS\System32\Drivers\VolSnap.sys **SUSPICIOUS**
14:06:33.984 Disk 0 trace - called modules:
14:06:34.000 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8aa061ed]<<
14:06:34.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aafbab8]
14:06:34.000 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000005e[0x8aa579e8]
14:06:34.000 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x8ab08d98]
14:06:34.000 \Driver\atapi[0x8aab22a8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8aa061ed
14:06:34.343 AVAST engine scan C:\WINDOWS
14:06:42.078 AVAST engine scan C:\WINDOWS\system32
14:07:48.500 AVAST engine scan C:\WINDOWS\system32\drivers
14:07:58.671 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
14:08:07.812 AVAST engine scan C:\Documents and Settings\kevin
14:10:58.453 Verifying
14:11:08.468 Disk 0 Windows 501 MBR fixed successfully
14:11:04.765 AVAST engine scan C:\Documents and Settings\All Users
14:11:15.437 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\kevin\Desktop\MBR.dat"
14:11:15.437 The log file has been saved successfully to "C:\Documents and Settings\kevin\Desktop\aswMBR.txt"
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-10 17:00:49
-----------------------------
17:00:49.343 OS Version: Windows 5.1.2600 Service Pack 3
17:00:49.343 Number of processors: 2 586 0xF02
17:00:49.343 ComputerName: ACER UserName:
17:00:50.156 Initialize success
17:00:50.328 AVAST engine defs: 11101002
17:00:52.359 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
17:00:52.359 Disk 0 Vendor: WDC_WD3000HLFS-01G6U1 04.04V02 Size: 286168MB BusType: 3
17:00:54.375 Disk 0 MBR read successfully
17:00:54.375 Disk 0 MBR scan
17:00:54.375 Disk 0 Windows XP default MBR code
17:00:54.375 Disk 0 scanning sectors +586051200
17:00:54.390 Disk 0 scanning C:\WINDOWS\system32\drivers
17:01:00.453 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
17:01:00.593 Service scanning
17:01:00.937 Service VolSnap C:\WINDOWS\System32\Drivers\VolSnap.sys **LOCKED** 32
17:01:01.453 Modules scanning
17:01:01.828 Module: C:\WINDOWS\System32\Drivers\VolSnap.sys **SUSPICIOUS**
17:01:03.843 Disk 0 trace - called modules:
17:01:03.843 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8aa6b1ed]<<
17:01:03.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aaafab8]
17:01:03.843 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000005e[0x8aab2f18]
17:01:03.843 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x8ab09d98]
17:01:03.843 \Driver\atapi[0x8aa54f38] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8aa6b1ed
17:01:04.203 AVAST engine scan C:\WINDOWS
17:01:11.593 AVAST engine scan C:\WINDOWS\system32
17:02:06.625 AVAST engine scan C:\WINDOWS\system32\drivers
17:02:15.625 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
17:02:22.890 AVAST engine scan C:\Documents and Settings\kevin
17:04:54.843 AVAST engine scan C:\Documents and Settings\All Users
17:05:28.390 Scan finished successfully
17:08:57.125 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\kevin\Desktop\MBR.dat"
17:08:57.125 The log file has been saved successfully to "C:\Documents and Settings\kevin\Desktop\aswMBR.txt"
Did you run the fix like I posted ?
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now
Copy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)
Couldn't find log on tdskilelr but said it found one and hit cure then rebooted.
ok, where on a roll, run aswMBR and post the new log, you can find the log from TDSSKiller here
(typically C:\)
Post those reports and then do this
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
17:46:11.0796 2972 TDSS rootkit removing tool 2.6.7.0 Oct 10 2011 09:40:06
17:46:12.0281 2972 ============================================================
17:46:12.0281 2972 Current date / time: 2011/10/10 17:46:12.0281
17:46:12.0281 2972 SystemInfo:
17:46:12.0281 2972
17:46:12.0281 2972 OS Version: 5.1.2600 ServicePack: 3.0
17:46:12.0281 2972 Product type: Workstation
17:46:12.0281 2972 ComputerName: ACER
17:46:12.0281 2972 UserName: kevin
17:46:12.0281 2972 Windows directory: C:\WINDOWS
17:46:12.0281 2972 System windows directory: C:\WINDOWS
17:46:12.0281 2972 Processor architecture: Intel x86
17:46:12.0281 2972 Number of processors: 2
17:46:12.0281 2972 Page size: 0x1000
17:46:12.0281 2972 Boot type: Normal boot
17:46:12.0281 2972 ============================================================
17:46:13.0031 2972 Initialize success
17:46:18.0578 3204 ============================================================
17:46:18.0578 3204 Scan started
17:46:18.0578 3204 Mode: Manual;
17:46:18.0578 3204 ============================================================
17:46:19.0078 3204 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
17:46:19.0078 3204 61883 - ok
17:46:19.0093 3204 Aavmker4 (95d1de2a6613494e853a9738d5d9acd4) C:\WINDOWS\system32\drivers\Aavmker4.sys
17:46:19.0093 3204 Aavmker4 - ok
17:46:19.0109 3204 Abiosdsk - ok
17:46:19.0109 3204 abp480n5 - ok
17:46:19.0140 3204 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:46:19.0156 3204 ACPI - ok
17:46:19.0171 3204 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
17:46:19.0171 3204 ACPIEC - ok
17:46:19.0187 3204 adpu160m - ok
17:46:19.0203 3204 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
17:46:19.0203 3204 aec - ok
17:46:19.0218 3204 AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
17:46:19.0234 3204 AegisP - ok
17:46:19.0250 3204 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
17:46:19.0265 3204 AFD - ok
17:46:19.0265 3204 Aha154x - ok
17:46:19.0281 3204 aic78u2 - ok
17:46:19.0296 3204 aic78xx - ok
17:46:19.0312 3204 AliIde - ok
17:46:19.0328 3204 amsint - ok
17:46:19.0343 3204 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
17:46:19.0343 3204 Arp1394 - ok
17:46:19.0375 3204 ASAPIW2K (875f9079cabee679d34b49e466b61701) C:\WINDOWS\system32\Drivers\ASAPIW2K.sys
17:46:19.0375 3204 ASAPIW2K - ok
17:46:19.0390 3204 asc - ok
17:46:19.0390 3204 asc3350p - ok
17:46:19.0406 3204 asc3550 - ok
17:46:19.0437 3204 aswFsBlk (c47623ffd181a1e7d63574dde2a0a711) C:\WINDOWS\system32\drivers\aswFsBlk.sys
17:46:19.0453 3204 aswFsBlk - ok
17:46:19.0468 3204 aswMon2 (fff2dbb17a3c89f87f78d5fa72ca47fd) C:\WINDOWS\system32\drivers\aswMon2.sys
17:46:19.0468 3204 aswMon2 - ok
17:46:19.0484 3204 aswRdr (36239e24470a3dd81fae37510953cc6c) C:\WINDOWS\system32\drivers\aswRdr.sys
17:46:19.0484 3204 aswRdr - ok
17:46:19.0500 3204 aswSnx (caa846e9c83836bdc3d2d700c678db65) C:\WINDOWS\system32\drivers\aswSnx.sys
17:46:19.0515 3204 aswSnx - ok
17:46:19.0531 3204 aswSP (748ae7f2d7da33adb063fe05704a9969) C:\WINDOWS\system32\drivers\aswSP.sys
17:46:19.0546 3204 aswSP - ok
17:46:19.0562 3204 aswTdi (ca9925ce1dbd07ffe1eb357752cf5577) C:\WINDOWS\system32\drivers\aswTdi.sys
17:46:19.0562 3204 aswTdi - ok
17:46:19.0578 3204 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:46:19.0578 3204 AsyncMac - ok
17:46:19.0593 3204 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
17:46:19.0593 3204 atapi - ok
17:46:19.0609 3204 Atdisk - ok
17:46:19.0625 3204 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:46:19.0625 3204 Atmarpc - ok
17:46:19.0656 3204 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
17:46:19.0656 3204 audstub - ok
17:46:19.0718 3204 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
17:46:19.0718 3204 Avc - ok
17:46:19.0734 3204 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
17:46:19.0734 3204 Beep - ok
17:46:19.0765 3204 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
17:46:19.0765 3204 cbidf2k - ok
17:46:19.0781 3204 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
17:46:19.0781 3204 CCDECODE - ok
17:46:19.0796 3204 cd20xrnt - ok
17:46:19.0812 3204 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
17:46:19.0812 3204 Cdaudio - ok
17:46:19.0828 3204 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
17:46:19.0843 3204 Cdfs - ok
17:46:19.0843 3204 Cdr4_xp (df09f7af34c98b53f38272ef24713a99) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
17:46:19.0859 3204 Cdr4_xp - ok
17:46:19.0859 3204 Cdralw2k (c911a4f1a849a3a3e3a255c3bce4197c) C:\WINDOWS\system32\drivers\Cdralw2k.sys
17:46:19.0859 3204 Cdralw2k - ok
17:46:19.0875 3204 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:46:19.0875 3204 Cdrom - ok
17:46:19.0890 3204 Changer - ok
17:46:19.0921 3204 CmdIde - ok
17:46:19.0937 3204 Cpqarray - ok
17:46:19.0953 3204 dac2w2k - ok
17:46:19.0968 3204 dac960nt - ok
17:46:20.0000 3204 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
17:46:20.0000 3204 Disk - ok
17:46:20.0031 3204 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
17:46:20.0046 3204 dmboot - ok
17:46:20.0062 3204 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
17:46:20.0062 3204 dmio - ok
17:46:20.0078 3204 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
17:46:20.0078 3204 dmload - ok
17:46:20.0109 3204 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
17:46:20.0109 3204 DMusic - ok
17:46:20.0125 3204 dpti2o - ok
17:46:20.0140 3204 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
17:46:20.0140 3204 drmkaud - ok
17:46:20.0156 3204 DVDVRRdr_xp (3722882edc0fb17bc363e34747112953) C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
17:46:20.0171 3204 DVDVRRdr_xp - ok
17:46:20.0187 3204 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
17:46:20.0203 3204 EL90XBC - ok
17:46:20.0234 3204 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
17:46:20.0234 3204 Fastfat - ok
17:46:20.0250 3204 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
17:46:20.0250 3204 Fdc - ok
17:46:20.0265 3204 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
17:46:20.0265 3204 Fips - ok
17:46:20.0281 3204 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
17:46:20.0296 3204 Flpydisk - ok
17:46:20.0328 3204 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
17:46:20.0343 3204 FltMgr - ok
17:46:20.0375 3204 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:46:20.0375 3204 Fs_Rec - ok
17:46:20.0390 3204 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:46:20.0390 3204 Ftdisk - ok
17:46:20.0406 3204 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
17:46:20.0421 3204 GEARAspiWDM - ok
17:46:20.0437 3204 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:46:20.0453 3204 Gpc - ok
17:46:20.0468 3204 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
17:46:20.0468 3204 HDAudBus - ok
17:46:20.0500 3204 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:46:20.0500 3204 hidusb - ok
17:46:20.0515 3204 hpn - ok
17:46:20.0546 3204 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
17:46:20.0546 3204 HTTP - ok
17:46:20.0562 3204 i2omgmt - ok
17:46:20.0562 3204 i2omp - ok
17:46:20.0593 3204 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:46:20.0593 3204 i8042prt - ok
17:46:20.0609 3204 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
17:46:20.0609 3204 Imapi - ok
17:46:20.0625 3204 ini910u - ok
17:46:20.0734 3204 IntcAzAudAddService (9f6320e7b0c43e4e5693e1515ba5595c) C:\WINDOWS\system32\drivers\RtkHDAud.sys
17:46:20.0796 3204 IntcAzAudAddService - ok
17:46:20.0843 3204 IntelIde - ok
17:46:20.0875 3204 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:46:20.0875 3204 intelppm - ok
17:46:20.0890 3204 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
17:46:20.0890 3204 Ip6Fw - ok
17:46:20.0890 3204 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:46:20.0906 3204 IpInIp - ok
17:46:20.0921 3204 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:46:20.0921 3204 IpNat - ok
17:46:20.0953 3204 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:46:20.0953 3204 IPSec - ok
17:46:20.0968 3204 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
17:46:20.0968 3204 IRENUM - ok
17:46:20.0984 3204 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:46:20.0984 3204 isapnp - ok
17:46:21.0000 3204 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:46:21.0000 3204 Kbdclass - ok
17:46:21.0015 3204 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:46:21.0015 3204 kbdhid - ok
17:46:21.0046 3204 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
17:46:21.0046 3204 kmixer - ok
17:46:21.0062 3204 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
17:46:21.0062 3204 KSecDD - ok
17:46:21.0093 3204 lbrtfdc - ok
17:46:21.0125 3204 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
17:46:21.0125 3204 mnmdd - ok
17:46:21.0140 3204 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
17:46:21.0140 3204 Modem - ok
17:46:21.0156 3204 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:46:21.0171 3204 Mouclass - ok
17:46:21.0171 3204 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:46:21.0171 3204 mouhid - ok
17:46:21.0187 3204 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
17:46:21.0187 3204 MountMgr - ok
17:46:21.0203 3204 mraid35x - ok
17:46:21.0218 3204 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:46:21.0218 3204 MRxDAV - ok
17:46:21.0250 3204 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:46:21.0265 3204 MRxSmb - ok
17:46:21.0328 3204 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
17:46:21.0328 3204 MSDV - ok
17:46:21.0343 3204 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
17:46:21.0343 3204 Msfs - ok
17:46:21.0359 3204 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:46:21.0375 3204 MSKSSRV - ok
17:46:21.0390 3204 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:46:21.0390 3204 MSPCLOCK - ok
17:46:21.0390 3204 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
17:46:21.0390 3204 MSPQM - ok
17:46:21.0406 3204 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:46:21.0421 3204 mssmbios - ok
17:46:21.0421 3204 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
17:46:21.0421 3204 MSTEE - ok
17:46:21.0437 3204 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
17:46:21.0437 3204 Mup - ok
17:46:21.0453 3204 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
17:46:21.0453 3204 NABTSFEC - ok
17:46:21.0468 3204 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
17:46:21.0484 3204 NDIS - ok
17:46:21.0500 3204 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
17:46:21.0500 3204 NdisIP - ok
17:46:21.0515 3204 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:46:21.0515 3204 NdisTapi - ok
17:46:21.0531 3204 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:46:21.0531 3204 Ndisuio - ok
17:46:21.0546 3204 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:46:21.0546 3204 NdisWan - ok
17:46:21.0562 3204 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
17:46:21.0562 3204 NDProxy - ok
17:46:21.0593 3204 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
17:46:21.0593 3204 NetBIOS - ok
17:46:21.0609 3204 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
17:46:21.0609 3204 NetBT - ok
17:46:21.0640 3204 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
17:46:21.0656 3204 NIC1394 - ok
17:46:21.0671 3204 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
17:46:21.0671 3204 Npfs - ok
17:46:21.0687 3204 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
17:46:21.0703 3204 Ntfs - ok
17:46:21.0765 3204 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
17:46:21.0765 3204 Null - ok
17:46:21.0937 3204 nv (4c3696c1ed1a36629ebb348bf745a328) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
17:46:22.0062 3204 nv - ok
17:46:22.0093 3204 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:46:22.0093 3204 NwlnkFlt - ok
17:46:22.0093 3204 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:46:22.0109 3204 NwlnkFwd - ok
17:46:22.0125 3204 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
17:46:22.0125 3204 ohci1394 - ok
17:46:22.0140 3204 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
17:46:22.0140 3204 Parport - ok
17:46:22.0156 3204 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
17:46:22.0156 3204 PartMgr - ok
17:46:22.0171 3204 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
17:46:22.0171 3204 ParVdm - ok
17:46:22.0187 3204 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
17:46:22.0203 3204 PCI - ok
17:46:22.0203 3204 PCIDump - ok
17:46:22.0218 3204 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
17:46:22.0218 3204 PCIIde - ok
17:46:22.0234 3204 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
17:46:22.0250 3204 Pcmcia - ok
17:46:22.0281 3204 PDCOMP - ok
17:46:22.0296 3204 PDFRAME - ok
17:46:22.0312 3204 PDRELI - ok
17:46:22.0328 3204 PDRFRAME - ok
17:46:22.0328 3204 perc2 - ok
17:46:22.0343 3204 perc2hib - ok
17:46:22.0390 3204 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:46:22.0390 3204 PptpMiniport - ok
17:46:22.0406 3204 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
17:46:22.0406 3204 PSched - ok
17:46:22.0421 3204 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:46:22.0421 3204 Ptilink - ok
17:46:22.0437 3204 ql1080 - ok
17:46:22.0453 3204 Ql10wnt - ok
17:46:22.0468 3204 ql12160 - ok
17:46:22.0468 3204 ql1240 - ok
17:46:22.0484 3204 ql1280 - ok
17:46:22.0500 3204 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:46:22.0500 3204 RasAcd - ok
17:46:22.0531 3204 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:46:22.0531 3204 Rasl2tp - ok
17:46:22.0546 3204 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:46:22.0546 3204 RasPppoe - ok
17:46:22.0546 3204 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
17:46:22.0562 3204 Raspti - ok
17:46:22.0578 3204 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:46:22.0578 3204 Rdbss - ok
17:46:22.0593 3204 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:46:22.0593 3204 RDPCDD - ok
17:46:22.0625 3204 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:46:22.0625 3204 rdpdr - ok
17:46:22.0640 3204 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
17:46:22.0640 3204 RDPWD - ok
17:46:22.0671 3204 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
17:46:22.0671 3204 redbook - ok
17:46:22.0718 3204 RTLWUSB (55ef6cfbebf2e54a7fe2330eb9624d2f) C:\WINDOWS\system32\DRIVERS\wg111v2.sys
17:46:22.0718 3204 RTLWUSB - ok
17:46:22.0750 3204 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:46:22.0750 3204 Secdrv - ok
17:46:22.0765 3204 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
17:46:22.0765 3204 serenum - ok
17:46:22.0781 3204 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
17:46:22.0796 3204 Serial - ok
17:46:22.0812 3204 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
17:46:22.0812 3204 Sfloppy - ok
17:46:22.0828 3204 Simbad - ok
17:46:22.0859 3204 SiSGbeXP (a86e52c55de3488b3fc0ff2b8ad711bf) C:\WINDOWS\system32\DRIVERS\SiSGbeXP.sys
17:46:22.0859 3204 SiSGbeXP - ok
17:46:22.0875 3204 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
17:46:22.0875 3204 SLIP - ok
17:46:22.0890 3204 Sparrow - ok
17:46:22.0906 3204 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
17:46:22.0921 3204 splitter - ok
17:46:22.0937 3204 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
17:46:22.0953 3204 sr - ok
17:46:23.0000 3204 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
17:46:23.0000 3204 Srv - ok
17:46:23.0031 3204 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
17:46:23.0031 3204 streamip - ok
17:46:23.0062 3204 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
17:46:23.0062 3204 swenum - ok
17:46:23.0078 3204 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
17:46:23.0078 3204 swmidi - ok
17:46:23.0093 3204 symc810 - ok
17:46:23.0109 3204 symc8xx - ok
17:46:23.0109 3204 sym_hi - ok
17:46:23.0125 3204 sym_u3 - ok
17:46:23.0140 3204 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
17:46:23.0140 3204 sysaudio - ok
17:46:23.0171 3204 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:46:23.0187 3204 Tcpip - ok
17:46:23.0203 3204 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
17:46:23.0203 3204 TDPIPE - ok
17:46:23.0218 3204 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
17:46:23.0218 3204 TDTCP - ok
17:46:23.0250 3204 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
17:46:23.0250 3204 TermDD - ok
17:46:23.0265 3204 TosIde - ok
17:46:23.0296 3204 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
17:46:23.0296 3204 Udfs - ok
17:46:23.0312 3204 ultra - ok
17:46:23.0328 3204 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
17:46:23.0343 3204 Update - ok
17:46:23.0375 3204 USB-100 (c0b1e90ad34662c3d06b157887a1bba1) C:\WINDOWS\system32\DRIVERS\RTL8150.SYS
17:46:23.0375 3204 USB-100 - ok
17:46:23.0390 3204 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
17:46:23.0406 3204 USBAAPL - ok
17:46:23.0421 3204 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:46:23.0421 3204 usbccgp - ok
17:46:23.0437 3204 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:46:23.0437 3204 usbehci - ok
17:46:23.0453 3204 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:46:23.0453 3204 usbhub - ok
17:46:23.0468 3204 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
17:46:23.0468 3204 usbohci - ok
17:46:23.0484 3204 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:46:23.0484 3204 usbprint - ok
17:46:23.0500 3204 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:46:23.0515 3204 usbscan - ok
17:46:23.0546 3204 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:46:23.0562 3204 usbstor - ok
17:46:23.0578 3204 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
17:46:23.0578 3204 VgaSave - ok
17:46:23.0593 3204 ViaIde - ok
17:46:23.0609 3204 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
17:46:23.0625 3204 VolSnap - ok
17:46:23.0640 3204 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:46:23.0640 3204 Wanarp - ok
17:46:23.0656 3204 WDICA - ok
17:46:23.0671 3204 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
17:46:23.0687 3204 wdmaud - ok
17:46:23.0750 3204 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
17:46:23.0765 3204 WSTCODEC - ok
17:46:23.0781 3204 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
17:46:23.0781 3204 WudfPf - ok
17:46:23.0812 3204 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
17:46:23.0812 3204 WudfRd - ok
17:46:23.0843 3204 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
17:46:23.0921 3204 \Device\Harddisk0\DR0 - ok
17:46:23.0921 3204 Boot (0x1200) (d30ff06fa19e401b927a9a3553c4df0c) \Device\Harddisk0\DR0\Partition0
17:46:23.0921 3204 \Device\Harddisk0\DR0\Partition0 - ok
17:46:23.0921 3204 ============================================================
17:46:23.0921 3204 Scan finished
17:46:23.0921 3204 ============================================================
17:46:23.0937 3024 Detected object count: 0
17:46:23.0937 3024 Actual detected object count: 0
The TDSSKiller log has to be from a second run as no threats where found, I wanted to see the original one that you said found one threat and removed it.
Go ahead and run aswMBR to just run a scan and post the new log and then go ahead and run Combofix and post that log
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-10 22:26:09
-----------------------------
22:26:09.015 OS Version: Windows 5.1.2600 Service Pack 3
22:26:09.015 Number of processors: 2 586 0xF02
22:26:09.031 ComputerName: ACER UserName:
22:26:10.156 Initialize success
22:26:10.312 AVAST engine defs: 11101002
22:26:11.843 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
22:26:11.843 Disk 0 Vendor: WDC_WD3000HLFS-01G6U1 04.04V02 Size: 286168MB BusType: 3
22:26:13.843 Disk 0 MBR read successfully
22:26:13.843 Disk 0 MBR scan
22:26:13.859 Disk 0 Windows XP default MBR code
22:26:13.859 Disk 0 scanning sectors +586051200
22:26:13.890 Disk 0 scanning C:\WINDOWS\system32\drivers
22:26:20.265 Service scanning
22:26:21.265 Modules scanning
22:26:23.625 Disk 0 trace - called modules:
22:26:23.625
22:26:24.015 AVAST engine scan C:\WINDOWS
22:26:31.421 AVAST engine scan C:\WINDOWS\system32
22:27:31.281 AVAST engine scan C:\WINDOWS\system32\drivers
22:27:41.906 AVAST engine scan C:\Documents and Settings\kevin
22:30:27.656 AVAST engine scan C:\Documents and Settings\All Users
22:30:59.984 Scan finished successfully
22:33:27.125 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\kevin\Desktop\MBR.dat"
22:33:27.125 The log file has been saved successfully to "C:\Documents and Settings\kevin\Desktop\aswMBR.txt"
ComboFix 11-10-10.04 - kevin 10/10/2011 22:41:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2552 [GMT -7:00]
Running from: c:\users\Public\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Trend Micro Firewall Booster *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((( Files Created from 2011-09-11 to 2011-10-11 )))))))))))))))))))))))))))))))
.
.
2011-10-10 05:06 . 2011-09-06 20:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-10-10 05:06 . 2011-09-06 20:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-10-10 05:06 . 2011-09-06 20:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-10-10 05:06 . 2011-09-06 20:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-10-10 05:06 . 2011-09-06 20:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-10-10 05:06 . 2011-09-06 20:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-10-10 05:06 . 2011-09-06 20:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-10-10 05:06 . 2011-09-06 20:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-10-10 05:05 . 2011-09-06 20:45 41184 ----a-w- c:\windows\avastSS.scr
2011-10-10 05:05 . 2011-09-06 20:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-10-10 05:05 . 2011-10-10 05:05 -------- d-----w- c:\program files\AVAST Software
2011-10-10 05:05 . 2011-10-10 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-10-09 19:46 . 2011-10-09 19:46 -------- d-----w- c:\documents and settings\logan.ACER
2011-10-09 02:28 . 2011-10-09 02:28 -------- d-sh--w- c:\documents and settings\miranda\IETldCache
2011-10-09 02:06 . 2011-10-09 02:06 -------- d-sh--w- c:\documents and settings\martha\IETldCache
2011-10-07 21:31 . 2011-10-07 21:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-06 18:00 . 2011-10-06 18:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-06 17:53 . 2011-10-06 17:53 -------- d-sh--w- c:\documents and settings\kevin\IECompatCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-11 00:27 . 2008-04-14 12:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-28 13918208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
c:\documents and settings\miranda\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v2 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v2 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111v2 Smart Wizard.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^P2 Card Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\P2 Card Manager.lnk
backup=c:\windows\pss\P2 Card Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^kevin^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\kevin\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 07:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-12-03 19:17 136176 ----atw- c:\documents and settings\kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-09-28 02:19 13918208 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-09-28 02:19 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
2004-03-11 09:26 406016 ----a-w- c:\windows\system32\PSDrvCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 19:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-05-02 02:44 65536 ----a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [10/9/2011 10:06 PM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/9/2011 10:06 PM 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/9/2011 10:06 PM 20568]
R3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [5/10/2006 4:22 PM 22842]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [12/21/2009 12:45 AM 194304]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1390067357-1417001333-1003Core.job
- c:\documents and settings\kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-03 19:17]
.
2011-10-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1390067357-1417001333-1003UA.job
- c:\documents and settings\kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-03 19:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\documents and settings\kevin\Application Data\Mozilla\Firefox\Profiles\tn89b1he.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
FF - Ext: TradeManager-Plugin: {4D144BC3-23FB-47de-90C5-63CCB0139CCF} - %profile%\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Redirect Remover: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9} - %profile%\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-96009171.sys
MSConfigStartUp-nwiz - c:\program files\NVIDIA Corporation\nView\nwiz.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-10 22:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2892)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-10-10 23:00:13
ComboFix-quarantined-files.txt 2011-10-11 06:00
.
Pre-Run: 226,409,402,368 bytes free
Post-Run: 226,982,920,192 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 7348915130B963AE4B8FA03E486EE72A
Good Morning,
Looks like the rootkit is gone .
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
Due to inactivity, this thread will now be closed.
If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.