Hi, I have a Windows XP PC that may be infected with the Win32: Alureon rootkit. I have TDSS, OTL, aswMBR, and Combofix ready to go on a flash drive. I found the infection by an Avast full system scan (include rootkits, include RAM, etc etc).
I am also concerned that it may have deactivated Internet Explorer (when I click on Explorer, it flashes and immediately closes).
How can I fix the computer?
thank you!
09:58:13.812 OS Version: Windows 5.1.2600 Service Pack 3
09:58:13.812 Number of processors: 4 586 0x202
09:58:13.812 ComputerName: HOME-GATE UserName: Owner
09:58:17.531 Initialize success
09:58:18.687 AVAST engine defs: 12072301
09:58:29.812 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Scsi\nvgts1Port2Path0Target0Lun0
09:58:29.812 Disk 0 Vendor: ST350063 3.AA Size: 476940MB BusType: 3
09:58:29.812 Device \Driver\nvgts → DriverStartIo 8a2072e2
09:58:29.812 Disk 0 MBR read error 0
09:58:29.828 Disk 0 MBR scan
09:58:29.828 Disk 0 unknown MBR code
09:58:29.828 MBR BIOS signature not found 0
09:58:29.828 Disk 0 scanning sectors +976768065
09:58:29.890 Disk 0 scanning C:\WINXP\system32\drivers
09:58:44.140 Service scanning
09:58:55.953 Modules scanning
09:59:07.796 Disk 0 trace - called modules:
09:59:07.812 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a2074b1]<<
09:59:07.812 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a34d9c0]
09:59:07.812 3 CLASSPNP.SYS[b80e8fd7] → nt!IofCallDriver → \Device\00000063[0x8a361920]
09:59:07.828 5 ACPI.sys[b7f7f620] → nt!IofCallDriver → [0x8a32ca38]
09:59:07.828 \Driver\nvgts[0x8a32df38] → IRP_MJ_CREATE → 0x8a2074b1
09:59:10.156 AVAST engine scan C:\WINXP
09:59:50.140 AVAST engine scan C:\WINXP\system32
10:03:15.968 AVAST engine scan C:\WINXP\system32\drivers
10:03:16.109 AVAST engine scan C:\Documents and Settings\Owner
10:03:16.312 AVAST engine scan C:\Documents and Settings\All Users.WINXP
10:03:16.328 Scan finished successfully
10:13:16.828 Disk 0 MBR has been saved successfully to “J:\Trip to China\MBR.dat”
10:13:17.609 The log file has been saved successfully to “J:\Trip to China\aswMBR.txt”
OTL Extras logfile created on: 7/23/2012 9:37:26 AM - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = J:\Trip to China
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.87 Gb Total Physical Memory | 1.90 Gb Available Physical Memory | 66.10% Memory free
4.72 Gb Paging File | 3.97 Gb Available in Paging File | 84.15% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINXP | %ProgramFiles% = C:\Program Files
Drive C: | 454.81 Gb Total Space | 147.65 Gb Free Space | 32.46% Space Free | Partition Type: NTFS
Drive H: | 10.95 Gb Total Space | 5.13 Gb Free Space | 46.83% Space Free | Partition Type: NTFS
Drive J: | 3.84 Gb Total Space | 0.42 Gb Free Space | 10.88% Space Free | Partition Type: FAT32
Computer Name: HOME-GATE | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes<extension>]
.cpl [@ = cplfile] – rundll32.exe shell32.dll,Control_RunDLL “%1”,%*
.url [@ = InternetShortcut] – rundll32.exe ieframe.dll,OpenURL %l
[HKEY_USERS\S-1-5-21-1343024091-117609710-839522115-1003\SOFTWARE\Classes<extension>]
.html [@ = FirefoxHTML] – C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes<key>\shell[command]\command]
batfile [open] – “%1” %*
cmdfile [open] – “%1” %*
comfile [open] – “%1” %*
cplfile [cplopen] – rundll32.exe shell32.dll,Control_RunDLL “%1”,%*
exefile [open] – “%1” %*
InternetShortcut [open] – rundll32.exe ieframe.dll,OpenURL %l
piffile [open] – “%1” %*
regfile [merge] – Reg Error: Key error.
scrfile [config] – “%1”
scrfile [install] – rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] – “%1” /S
txtfile [edit] – Reg Error: Key error.
Unknown [openas] – %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] – %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] – %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] – %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] – %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
“AntiVirusDisableNotify” = 0
“FirewallDisableNotify” = 0
“UpdatesDisableNotify” = 0
“AntiVirusOverride” = 0
“FirewallOverride” = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
“DisableSR” = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
“Start” = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
“Start” = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
“139:TCP” = 139:TCP::Enabled:@xpsp2res.dll,-22004
“445:TCP” = 445:TCP::Enabled:@xpsp2res.dll,-22005
“137:UDP” = 137:UDP::Enabled:@xpsp2res.dll,-22001
“138:UDP” = 138:UDP::Enabled:@xpsp2res.dll,-22002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
“EnableFirewall” = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
“139:TCP” = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
“445:TCP” = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
“137:UDP” = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
“138:UDP” = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
“1900:UDP” = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
“2869:TCP” = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe” = C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe::Enabled:Daemonu.exe – (NVIDIA Corporation)
“C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe” = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe::Enabled:WebKit – (Apple Inc.)
“C:\Program Files\Intuit\QuickBooks 2011\QBDBMgrN.exe” = C:\Program Files\Intuit\QuickBooks 2011\QBDBMgrN.exe:*:Enabled:QuickBooks 2011 Data Manager – (Intuit, Inc.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
“{1111706F-666A-4037-7777-203328764D10}” = JavaFX 2.0.3
“{11E0AC7D-6834-4F67-865F-EE1C13D28C38}” = QuickBooks Premier: Professional Services Edition 2011
“{1D70AABC-CB59-4700-A708-EA56D1CA07B0}” = QuickBooks
“{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}” = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
“{26A24AE4-039D-4CA4-87B4-2F83217003FF}” = Java™ 7 Update 3
“{33286280-8617-11E1-8FF6-B8AC6F97B88E}” = Google Earth Plug-in
“{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}” = WebFldrs XP
“{4A03706F-666A-4037-7777-5F2748764D10}” = Java Auto Updater
“{654977DB-0001-0002-0001-EABD228DDE8B}” = Microsoft Download Manager
“{716E0306-8318-4364-8B8F-0CC4E9376BAC}” = MSXML 4.0 SP2 Parser and SDK
“{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}” = Apple Software Update
“{7BE15435-2D3E-4B58-867F-9C75BED0208C}” = QuickTime
“{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}” = NVIDIA ForceWare Network Access Manager
“{90300409-6000-11D3-8CFE-0050048383C9}” = Microsoft Office XP Media Content
“{91130409-6000-11D3-8CFE-0050048383C9}” = Microsoft Office XP Small Business
“{9A25302D-30C0-39D9-BD6F-21E6EC160475}” = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
“{A1F2C608-32D6-467D-B035-BBEF509042BA}_is1” = Free Opener
“{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}” = Microsoft .NET Framework 3.0 Service Pack 2
“{A83279FD-CA4B-4206-9535-90974DE76654}” = Apple Application Support
“{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}” = Google Update Helper
“{AC76BA86-7AD7-1033-7B44-A95000000001}” = Adobe Reader 9.5.1
“{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel” = NVIDIA Control Panel 296.10
“{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver” = NVIDIA Graphics Driver 296.10
“{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView” = NVIDIA nView 136.18
“{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update” = NVIDIA Update 1.7.11
“{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer” = NVIDIA Install Application
“{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}NVIDIA.Update" = NVIDIA Update Components
“{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}” = Microsoft .NET Framework 2.0 Service Pack 2
“{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}” = Microsoft .NET Framework 3.5 SP1
“{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}” = Realtek High Definition Audio Driver
“{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}” = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
“Adobe Acrobat 5.0” = Adobe Acrobat 5.0
“Adobe Flash Player ActiveX” = Adobe Flash Player 11 ActiveX
“Adobe Flash Player Plugin” = Adobe Flash Player 11 Plugin
“Adobe Photoshop 5.5” = Adobe Photoshop 5.5
“Agere Systems Soft Modem” = Agere Systems PCI-SV92PP Soft Modem
“avast” = avast! Free Antivirus
“BeyondCompare3_is1” = Beyond Compare Version 3.3.3
“ComcastHSI” = Comcast High-Speed Internet Install Wizard
“EPSON NX300 Series” = EPSON NX300 Series Printer Uninstall
“EPSON Scanner” = EPSON Scan
“ie8” = Windows Internet Explorer 8
"InstallShield{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}” = NVIDIA ForceWare Network Access Manager
“Malwarebytes’ Anti-Malware_is1” = Malwarebytes Anti-Malware version 1.62.0.1300
“Microsoft .NET Framework 3.5 SP1” = Microsoft .NET Framework 3.5 SP1
“Mozilla Firefox 12.0 (x86 en-US)” = Mozilla Firefox 12.0 (x86 en-US)
“MozillaMaintenanceService” = Mozilla Maintenance Service
“NVIDIA Drivers” = NVIDIA Drivers
“ÖÐÐŽ¨Í¶ÍøÉϽ»Ò×” = ÖÐÐŽ¨Í¶ÍøÉϽ»Ò×
“Windows XP Service Pack” = Windows XP Service Pack 3
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 7/8/2012 11:01:54 AM | Computer Name = HOME-GATE | Source = Application Error | ID = 1000
Description = Faulting application FlashPlayerUpdateService.exe, version 11.3.300.262,
faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x000113c0.
Error - 7/8/2012 11:01:59 AM | Computer Name = HOME-GATE | Source = Application Error | ID = 1001
Description = Fault bucket -1264370443.
Error - 7/8/2012 8:02:06 PM | Computer Name = HOME-GATE | Source = Application Error | ID = 1000
Description = Faulting application FlashPlayerUpdateService.exe, version 11.3.300.262,
faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x000113c0.
Error - 7/8/2012 8:02:13 PM | Computer Name = HOME-GATE | Source = Application Error | ID = 1001
Description = Fault bucket -1264370443.
Error - 7/9/2012 6:38:23 AM | Computer Name = HOME-GATE | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in “QuickBooks”: Returning NULL QBWinInstance
Hand
Error - 7/9/2012 6:38:23 AM | Computer Name = HOME-GATE | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in “QuickBooks”: Returning NULL QBWinInstance
Hand
Error - 7/9/2012 6:38:23 AM | Computer Name = HOME-GATE | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in “QuickBooks”: Returning NULL QBWinInstance
Hand
Error - 7/9/2012 6:57:36 PM | Computer Name = HOME-GATE | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in “QuickBooks”: Returning NULL QBWinInstance
Hand
Error - 7/9/2012 6:57:36 PM | Computer Name = HOME-GATE | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in “QuickBooks”: Returning NULL QBWinInstance
Hand
Error - 7/9/2012 6:57:36 PM | Computer Name = HOME-GATE | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in “QuickBooks”: Returning NULL QBWinInstance
Hand
[ System Events ]
Error - 7/21/2012 6:50:24 PM | Computer Name = HOME-GATE | Source = DCOM | ID = 10005
Description = DCOM got error “%1084” attempting to start the service EventSystem
with arguments “” in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Error - 7/21/2012 6:51:37 PM | Computer Name = HOME-GATE | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume K:.
Error - 7/22/2012 6:25:17 AM | Computer Name = HOME-GATE | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126
Error - 7/23/2012 7:13:22 AM | Computer Name = HOME-GATE | Source = Service Control Manager | ID = 7031
Description = The avast! Antivirus service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 5000 milliseconds:
Restart the service.
Error - 7/23/2012 7:16:44 AM | Computer Name = HOME-GATE | Source = Service Control Manager | ID = 7031
Description = The avast! Antivirus service terminated unexpectedly. It has done
this 2 time(s). The following corrective action will be taken in 5000 milliseconds:
Restart the service.
Error - 7/23/2012 8:42:35 AM | Computer Name = HOME-GATE | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126
Error - 7/23/2012 8:57:07 AM | Computer Name = HOME-GATE | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the QBCFMonitorService service
to connect.
Error - 7/23/2012 8:57:07 AM | Computer Name = HOME-GATE | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126
Error - 7/23/2012 9:05:29 AM | Computer Name = HOME-GATE | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126
Error - 7/23/2012 9:05:59 AM | Computer Name = HOME-GATE | Source = DCOM | ID = 10010
Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register
with DCOM within the required timeout.
< End of report >
OTL logfile