last night I found a rootkit on svchost and avast blocked it
then I ran a boot time scan and found rootkit w32 gen.
i moved it to chest
today when 1 opened my pc
every now and then the theme resets to windows classic
and no sound in my speakers
and when i click on volume control
it says there are no mixer devices available,please help!!!
is there anyone who can reply? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? :‘( :’( :‘( :’(
Download DDS and save it to your Desktop from here:
Double click dds.scr to run the tool.
* When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop.
Attach log reports (DDS.txt) back to topic.
The OP double posted in this thread:
Essexboy has been notified to assist this OP for malware removal and was instructed to post an OTS log. Thank you.
Ok SafeSurf, greeting
it is like combofix or not?
should I do what you said or wait for essex boy?
Please wait for Essexboy to assist you, he’ll be on later tonight.
here is the log
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by AKSHAY KUMAR at 12:45:26 on 2011-05-20
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.223.49 [GMT 5.5:30]
AV: avast! Antivirus Enabled/Updated {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
D:\WINDOWS\system32\svchost -k DcomLaunch
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
D:\Program Files\Kodak\KODAK Share Button App\Listener.exe
D:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\Internet Download Manager\IEMonitor.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Documents and Settings\AKSHAY KUMAR\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\AKSHAY KUMAR\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\AKSHAY KUMAR\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\AKSHAY KUMAR\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
============== Pseudo HJT Report ===============
mURLSearchHooks: H - No File
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - d:\program files\internet download manager\IDMIECC.dll
BHO: IE 4.x-6.x BHO for Internet Download Accelerator: {2a646672-9c3a-4c28-9a7a-1fb0f63f28b6} - c:\progra~1\ida\ida\idaiehlp.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\avastsoftware\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\avastsoftware\aswWebRepIE.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [Google Update] “d:\documents and settings\akshay kumar\local settings\application data\google\update\GoogleUpdate.exe” /c
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AudioDeck] d:\program files\via\viaudioi\sbadeck\ADeck.exe 1
mRun: [VTTimer] VTTimer.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [KodakShareButtonApp] d:\program files\kodak\kodak share button app\Listener.exe
mRun: [Malwarebytes’ Anti-Malware] “c:\program files\malwarebytes’ anti-malware\mbamgui.exe” /starttray
mRun: [SunJavaUpdateSched] “d:\program files\common files\java\java update\jusched.exe”
mRun: [avast] “c:\avastsoftware\avastUI.exe” /nogui
IE: Download all links with IDM - d:\program files\internet download manager\IEGetAll.htm
IE: Download ALL with IDA - c:\program files\ida\ida\idaieall.htm
IE: Download remotely with IDA - c:\program files\ida\ida\remdown.htm
IE: Download with IDA - c:\program files\ida\ida\idaie.htm
IE: Download with IDM - d:\program files\internet download manager\IEExt.htm
IE: {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - c:\program files\ida\ida\ida.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://
TCP: {4DDA501E-3082-42F0-BF65-3138D10F2D1B} =,
TCP: {FA4120D3-0AB8-4DA8-BF1C-EEBBDA613246} =,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File
================= FIREFOX ===================
FF - ProfilePath - d:\documents and settings\akshay kumar\application data\mozilla\firefox\profiles\etpk8ehl.default
FF - plugin: d:\documents and settings\akshay kumar\local settings\application data\google\update\\npGoogleUpdate3.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npida.dll
============= SERVICES / DRIVERS ===============
R0 Avgrkx86;AVG Anti-Rootkit Driver;d:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 ViBus;ViBus;d:\windows\system32\drivers\ViBus.sys [2010-10-14 16896]
R0 ViPrt;VIA SATA IDE Device Driver;d:\windows\system32\drivers\ViPrt.sys [2010-10-14 52224]
R1 aswSnx;aswSnx;d:\windows\system32\drivers\aswSnx.sys [2011-3-22 441176]
R1 aswSP;aswSP;d:\windows\system32\drivers\aswSP.sys [2011-3-22 307928]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;d:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;d:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
R1 IDMTDI;IDMTDI;d:\windows\system32\drivers\idmtdi.sys [2011-4-25 98160]
R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [2011-3-22 19544]
R2 avast! Antivirus;avast! Antivirus;c:\avastsoftware\AvastSvc.exe [2011-3-22 42184]
R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [2011-2-13 20952]
R3 MEMSWEEP2;MEMSWEEP2;??\d:\windows\system32\d.tmp → d:\windows\system32\D.tmp [?]
S1 Avgldx86;AVG AVI Loader Driver;d:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
S2 avgwd;AVG WatchDog;
S2 MBAMService;MBAMService;c:\program files\malwarebytes’ anti-malware\mbamservice.exe [2011-2-13 363344]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;
S3 AVGIDSShim;AVGIDSShim;d:\windows\system32\drivers\avgidsshim.sys → d:\windows\system32\drivers\AVGIDSShim.Sys [?]
S3 cpuz132;cpuz132;
S3 MBAMSwissArmy;MBAMSwissArmy;d:\windows\system32\drivers\mbamswissarmy.sys [2011-2-13 38224]
S3 Revoflt;Revoflt;d:\windows\system32\drivers\revoflt.sys [2011-5-1 27064]
S4 AVGIDSDriver;AVGIDSDriver;d:\windows\system32\drivers\avgidsdriver.sys → d:\windows\system32\drivers\AVGIDSDriver.Sys [?]
S4 AVGIDSEH;AVGIDSEH;d:\windows\system32\drivers\avgidseh.sys → d:\windows\system32\drivers\AVGIDSEH.Sys [?]
S4 AVGIDSFilter;AVGIDSFilter;d:\windows\system32\drivers\avgidsfilter.sys → d:\windows\system32\drivers\AVGIDSFilter.Sys [?]
=============== Created Last 30 ================
2011-05-19 06:32:35 -------- d-----w- d:\program files\Lame For Audacity
2011-05-15 10:22:39 -------- d-----w- d:\documents and settings\all users\application data\Speedbit
2011-05-14 08:07:49 -------- d-----w- d:\documents and settings\akshay kumar\local settings\application data\Daum
2011-05-14 06:09:38 404640 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-01 10:38:10 -------- d-----w- d:\windows\SxsCaPendDel
2011-05-01 06:43:32 -------- d-----w- d:\documents and settings\akshay kumar\local settings\application data\VS Revo Group
2011-05-01 06:43:20 27064 ----a-w- d:\windows\system32\drivers\revoflt.sys
2011-05-01 06:43:17 -------- d-----w- d:\program files\VS Revo Group
2011-04-25 15:41:51 98160 ----a-w- d:\windows\system32\drivers\idmtdi.sys
2011-04-23 08:31:15 -------- d-----w- d:\documents and settings\akshay kumar\application data\IDM
==================== Find3M ====================
2011-05-10 12:10:59 40112 ----a-w- d:\windows\avastSS.scr
2011-05-10 12:03:54 441176 ----a-w- d:\windows\system32\drivers\aswSnx.sys
============= FINISH: 12:46:28.21 ===============
p.s. I DON’t use avg,I used It earlier and now I use mbam and avast
While we are waiting for Essexboy, please do the following in the order I have posted:
You show that AVG is active. Please run the AVG Uninstaller Tool: then reboot your machine.
Make sure your MS / Windows Updates are up to date.
Download TFC by OldTimer to your desktop.
· Please double-click TFC.exe to run it. (Note: If you are running on
· It will close all programs when running, so make sure you have saved all your work before you begin.
· Click the Start button to begin the process. Let it run uninterrupted to completion.
· Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. -
Check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
· Download free (the blue button) for an on-demand scanner.
· Double Click mbam-setup.exe to install the application.
· After install, click update so you have latest database before scanning.
· Under Settings:
o General: Automatically Save File After Scan Completes is checked off
o Scanner Settings: Check all boxes
o Updater: Download and install update if available is checked off
· Once the program has loaded, select “Perform FULL Scan”, then click Scan.
· The scan may take some time to finish, so please be patient.
· When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
· Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
· The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts – Click OK to either and let MBAM proceed with the disinfection process; If asked to restart the computer, please do so immediately.
- Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware:
Follow the directions for obtaining the OTS logs (save them as ANSI and not Unicode). Post the MBAM log and the OTS log as an [color=blue]attachment (Additional Options > Attach > Post).
Please do not make any further changes to your machine after you have provided the logs.
Let us know if you have any questions. Thank you.
Cheers Safesurf - I was going to recommend that as AVG is running a rootkit scan as well
Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the “Scan” button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
here is the log—
aswMBR version Copyright(c) 2011 AVAST Software
Run date: 2011-05-21 10:27:31
10:27:31.750 OS Version: Windows 5.1.2600 Service Pack 2
10:27:31.750 Number of processors: 1 586 0x2C02
10:27:31.750 ComputerName: AKSHAY UserName:
10:27:32.265 Initialize success
10:27:40.421 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\00000060
10:27:40.437 Disk 0 Vendor: achi_HDS721680PLA380_________________ OAB3A Size: 78533MB BusType: 3
10:27:42.468 Disk 0 MBR read successfully
10:27:42.468 Disk 0 MBR scan
10:27:42.468 Disk 0 Windows XP default MBR code
10:27:44.468 Disk 0 scanning sectors +160810650
10:27:44.484 Disk 0 scanning D:\WINDOWS\system32\drivers
10:27:48.156 Service scanning
10:27:49.234 Disk 0 trace - called modules:
10:27:49.234 ntkrnlpa.exe CLASSPNP.SYS disk.sys ViPrt.sys hal.dll ViBus.sys
10:27:49.234 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8135b9c0]
10:27:49.250 3 CLASSPNP.SYS[f9ed505b] → nt!IofCallDriver → \Device\00000060[0x812b1600]
10:27:49.250 Scan finished successfully
10:28:21.562 Disk 0 MBR has been saved successfully to “D:\Documents and Settings\AKSHAY KUMAR\Desktop\MBR.dat”
10:28:21.609 The log file has been saved successfully to “D:\Documents and Settings\AKSHAY KUMAR\Desktop\aswMBR.txt”
Re-run DDS and set a new log
when i restarted my pc after running tfc ,it showed
rootkit blocked
avast has blocked a threat
name-w32 rootkit gen
from d/windows/…svchost.exe
You uninstall AVG?
Disable Avast whilst this runs - set the shields to off until reboot
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by AKSHAY KUMAR at 11:11:51 on 2011-05-21
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.223.53 [GMT 5.5:30]
AV: avast! Antivirus Enabled/Updated {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
D:\WINDOWS\system32\svchost -k DcomLaunch
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
D:\Program Files\Kodak\KODAK Share Button App\Listener.exe
D:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Documents and Settings\AKSHAY KUMAR\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\AKSHAY KUMAR\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\AKSHAY KUMAR\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\AKSHAY KUMAR\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
============== Pseudo HJT Report ===============
mURLSearchHooks: H - No File
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - d:\program files\internet download manager\IDMIECC.dll
BHO: IE 4.x-6.x BHO for Internet Download Accelerator: {2a646672-9c3a-4c28-9a7a-1fb0f63f28b6} - c:\progra~1\ida\ida\idaiehlp.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\avastsoftware\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\avastsoftware\aswWebRepIE.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [Google Update] “d:\documents and settings\akshay kumar\local settings\application data\google\update\GoogleUpdate.exe” /c
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AudioDeck] d:\program files\via\viaudioi\sbadeck\ADeck.exe 1
mRun: [VTTimer] VTTimer.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [KodakShareButtonApp] d:\program files\kodak\kodak share button app\Listener.exe
mRun: [Malwarebytes’ Anti-Malware] “c:\program files\malwarebytes’ anti-malware\mbamgui.exe” /starttray
mRun: [SunJavaUpdateSched] “d:\program files\common files\java\java update\jusched.exe”
mRun: [avast] “c:\avastsoftware\avastUI.exe” /nogui
IE: Download all links with IDM - d:\program files\internet download manager\IEGetAll.htm
IE: Download ALL with IDA - c:\program files\ida\ida\idaieall.htm
IE: Download remotely with IDA - c:\program files\ida\ida\remdown.htm
IE: Download with IDA - c:\program files\ida\ida\idaie.htm
IE: Download with IDM - d:\program files\internet download manager\IEExt.htm
IE: {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - c:\program files\ida\ida\ida.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://
TCP: {4DDA501E-3082-42F0-BF65-3138D10F2D1B} =,
TCP: {FA4120D3-0AB8-4DA8-BF1C-EEBBDA613246} =,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File
================= FIREFOX ===================
FF - ProfilePath - d:\documents and settings\akshay kumar\application data\mozilla\firefox\profiles\etpk8ehl.default
FF - plugin: d:\documents and settings\akshay kumar\local settings\application data\google\update\\npGoogleUpdate3.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npida.dll
============= SERVICES / DRIVERS ===============
R0 ViBus;ViBus;d:\windows\system32\drivers\ViBus.sys [2010-10-14 16896]
R0 ViPrt;VIA SATA IDE Device Driver;d:\windows\system32\drivers\ViPrt.sys [2010-10-14 52224]
R1 aswSnx;aswSnx;d:\windows\system32\drivers\aswSnx.sys [2011-3-22 441176]
R1 aswSP;aswSP;d:\windows\system32\drivers\aswSP.sys [2011-3-22 307928]
R1 IDMTDI;IDMTDI;d:\windows\system32\drivers\idmtdi.sys [2011-4-25 98160]
R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [2011-3-22 19544]
R2 avast! Antivirus;avast! Antivirus;c:\avastsoftware\AvastSvc.exe [2011-3-22 42184]
R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [2011-2-13 20952]
S2 MBAMService;MBAMService;c:\program files\malwarebytes’ anti-malware\mbamservice.exe [2011-2-13 363344]
S3 AVGIDSShim;AVGIDSShim;d:\windows\system32\drivers\avgidsshim.sys → d:\windows\system32\drivers\AVGIDSShim.Sys [?]
S3 cpuz132;cpuz132;
S3 MBAMSwissArmy;MBAMSwissArmy;d:\windows\system32\drivers\mbamswissarmy.sys [2011-2-13 38224]
S3 MEMSWEEP2;MEMSWEEP2;??\d:\windows\system32\d.tmp → d:\windows\system32\D.tmp [?]
S3 Revoflt;Revoflt;d:\windows\system32\drivers\revoflt.sys [2011-5-1 27064]
=============== Created Last 30 ================
2011-05-19 06:32:35 -------- d-----w- d:\program files\Lame For Audacity
2011-05-15 10:22:39 -------- d-----w- d:\documents and settings\all users\application data\Speedbit
2011-05-14 08:07:49 -------- d-----w- d:\documents and settings\akshay kumar\local settings\application data\Daum
2011-05-14 06:09:38 404640 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-01 10:38:10 -------- d-----w- d:\windows\SxsCaPendDel
2011-05-01 06:43:32 -------- d-----w- d:\documents and settings\akshay kumar\local settings\application data\VS Revo Group
2011-05-01 06:43:20 27064 ----a-w- d:\windows\system32\drivers\revoflt.sys
2011-05-01 06:43:17 -------- d-----w- d:\program files\VS Revo Group
2011-04-25 15:41:51 98160 ----a-w- d:\windows\system32\drivers\idmtdi.sys
Run Combofix
my virus chest
should i delete these files???
here is the log
combofix attached
my sytem is running like its new
how to read this log?