win32:MBRoot-J [Trj]

Hi

I am new to this forum. I have experienced a smilar infection to the one described at the post:

http://forum.avast.com/index.php?topic=78458.0

Avast detects the malware specified in the subject, but I cannot get rid of it even with the scan at boot-time (it detects the infection, but does not fix the problem).

I have followed the first steps as described in the recommendations to follow, without success yet. Here are the logs:


Malwarebytes’ Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6821

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/06/2011 23:39:13
mbam-log-2011-06-10 (23-39-13).txt

Scan type: Quick scan
Objects scanned: 195101
Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


OTS (attached)


aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-09 21:55:44

21:55:44.359 OS Version: Windows 5.1.2600 Service Pack 3
21:55:44.359 Number of processors: 2 586 0xE08
21:55:44.359 ComputerName: MGA_PORTABLE UserName: mga
21:55:44.906 Initialize success
21:55:53.796 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
21:55:53.812 Disk 0 Vendor: FUJITSU_MHV2100BH_PL 00000029 Size: 95396MB BusType: 3
21:55:55.843 Disk 0 MBR read successfully
21:55:55.843 Disk 0 MBR scan
21:55:55.843 Disk 0 unknown MBR code
21:55:57.843 Disk 0 scanning sectors +195366465
21:55:57.890 Disk 0 scanning C:\WINDOWS\system32\drivers
21:56:04.140 Service scanning
21:56:05.328 Disk 0 trace - called modules:
21:56:05.359 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:56:05.359 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a6dfab8]
21:56:05.359 3 CLASSPNP.SYS[f7657fd7] → nt!IofCallDriver → \Device\00000083[0x8a69d9e8]
21:56:05.359 5 ACPI.sys[f75ae620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x8a668940]
21:56:05.375 Scan finished successfully
21:59:20.781 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\mga\Desktop\MBR.dat”
21:59:20.796 The log file has been saved successfully to “C:\Documents and Settings\mga\Desktop\aswMBR.txt”

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-10 21:38:28

21:38:28.312 OS Version: Windows 5.1.2600 Service Pack 3
21:38:28.312 Number of processors: 2 586 0xE08
21:38:28.312 ComputerName: MGA_PORTABLE UserName: mga
21:38:28.734 Initialize success
21:38:42.187 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
21:38:42.187 Disk 0 Vendor: FUJITSU_MHV2100BH_PL 00000029 Size: 95396MB BusType: 3
21:38:44.265 Disk 0 MBR read successfully
21:38:44.281 Disk 0 MBR scan
21:38:44.281 Disk 0 unknown MBR code
21:38:46.281 Disk 0 scanning sectors +195366465
21:38:46.500 Disk 0 scanning C:\WINDOWS\system32\drivers
21:38:52.468 Service scanning
21:38:53.640 Disk 0 trace - called modules:
21:38:53.671 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:38:53.671 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a71c428]
21:38:53.687 3 CLASSPNP.SYS[f7657fd7] → nt!IofCallDriver → \Device\00000084[0x8a6a0338]
21:38:53.687 5 ACPI.sys[f75ae620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x8a6c0940]
21:38:53.687 Scan finished successfully
21:39:10.640 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\mga\Desktop\MBR.dat”
21:39:10.640 The log file has been saved successfully to “C:\Documents and Settings\mga\Desktop\aswMBR.txt”


MBR.dat was also detected as infected when rebooting in the scan at boot time.

I use a laptop where I share two partitions one for Linux and one for Windows, booting via the Grub engine. Never experienced problems before for two years.

Can anybody help fixing the malware? Thanks in advance.

atis

welcome to the forum.

someone will check those logs and will give you further instruction.

i suggest you try a boot scan with avast and try to send the malware to the chest from there.

http://www.schmahl.net/avastbootscan.php

good luck.

Thanks Mikaelrask,

I’ll wait for the instructions.

Meanwhile I will run again a bootscan with Avast with the settings suggested in your attached link. I will report in a new post.

Cheers,

atis

Hi,

Here is the most recent aswboot report.

06/11/2011 16:02
Scan of all local drives

File MBR 0 is infected by Win32:MBRoot-J [Trj]
File C:\Documents and Settings\HelpAssistant.jose.user.preferences|>image Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\HelpAssistant\My Documents\sofware\adware\pllangs.exe|>Wise0038.bin Error 42145 {Installer archive is corrupted.}
File C:\Documents and Settings\HelpAssistant\My Documents\sofware\censolar\censol_f.zip|>CENSOL_F.EXE Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\mga.jose.user.preferences|>image Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\mga\My Documents\sofware\censolar\censol_f.zip|>CENSOL_F.EXE Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 12705
Number of tested files: 661899
Number of infected files: 1

It logs the infection in MBR (no option is given to delete it). The corrupted files are old files never used recently. Dont now whether there is any connection.
I don’t notice any strange behaviour in the computer yet.

I wait for any suggestions/ recommendations.

Thanks.

Atis

Don’t worry about the archive is corrupted message.

Try this avast MBR rootkit tool:

Hi David,

I rerun the tool and obtained the same message that I posted last Friday. Here it is again.

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-12 12:24:57

12:24:57.968 OS Version: Windows 5.1.2600 Service Pack 3
12:24:57.968 Number of processors: 2 586 0xE08
12:24:57.968 ComputerName: MGA_PORTABLE UserName: mga
12:24:58.328 Initialize success
12:25:10.312 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
12:25:10.312 Disk 0 Vendor: FUJITSU_MHV2100BH_PL 00000029 Size: 95396MB BusType: 3
12:25:12.343 Disk 0 MBR read successfully
12:25:12.343 Disk 0 MBR scan
12:25:12.343 Disk 0 unknown MBR code
12:25:14.359 Disk 0 scanning sectors +195366465
12:25:14.406 Disk 0 scanning C:\WINDOWS\system32\drivers
12:25:23.812 Service scanning
12:25:25.484 Disk 0 trace - called modules:
12:25:25.500 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
12:25:25.562 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a6dfab8]
12:25:25.562 3 CLASSPNP.SYS[f7657fd7] → nt!IofCallDriver → \Device\00000083[0x8a68f9e8]
12:25:25.562 5 ACPI.sys[f75ae620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x8a6a2940]
12:25:25.562 Scan finished successfully
12:25:30.875 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\mga\Desktop\MBR.dat”
12:25:30.875 The log file has been saved successfully to “C:\Documents and Settings\mga\Desktop\aswMBR.txt”

I hope this may help. I wonder whether the line:
12:25:12.343 Disk 0 unknown MBR code

has to do with the fact that I have partitions both for Linux and Windows and boot from Grub, or actually this is the signal of the virus.

Cheers,

Atis

It may well be that could you send the MBR.dat from your desktop to Avast via the virus chest

Second opinion now

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

Hi essexboy,

Thanks for your message.

I start to be a bit confused. TDSS killer did not find anything as far as I understand (please see the log attached as it seems to be too big). But Avast continue popping up the alarm. No other symptoms in the last couple of days.

Cheers,

Atis.

Could you upload the MBR.dat to avast so that they can check it out, it may be because you are using grub

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.

As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

[*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

[*]Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hi essexboy,

Thanks again for your quick and prompt answer.

Sorry, I am new on all this and I have two doubts:

1.- (sure it is simple) how do I upload mbr.dat to avast? I always click “send to avast” when I am prompted to do so after the pop-up detection. I suppose I have sent it already? Is there other way?

2.- (crucial) would combofix not be the hair of the dog? I mean, I would like to find out first if effectively I am infected. I have read a guide to combofix and in my (short) knowledge I risk to run down my whole configuration with this powerful tool. As far as MBR is taken over by Windows (for whatever reason like rebooting in safe mode, for instance), it will possibly overwrite my partitions in Linux.
Have you ever used this tool with a similar configuration? I am ready to reinstall everything if needed, but first I’d rather confirm that the computer is infected with a tool not so aggressive (obviously if it exists).

Thanks again for your advice.

Atis.

.- (sure it is simple) how do I upload mbr.dat to avast? I always click "send to avast" when I am prompted to do so after the pop-up detection. I suppose I have sent it already? Is there other way?

Moving files to the Virus Chest
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501#idt_03

Submitting files from the Virus Chest to avast! Virus Lab
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501#idt_07

No we could start easy ;D this scan is purely analysis

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Check the box that says 64 bit
[*]Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in


%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

Thanks both to Pondus and essexboy.

1.- MBR.DAT has been submitted to Avast virus lab. (I have quoted the subject of this thread in case it helps). Apparently it will be actually submitted as far as I close and update avast.

2.- OTS.txt log is at: http://www.mediafire.com/?aqsszff695m55j4

I have put the first one I run after the detection of the potential virus, as it took a while to run the scan. If needed, I will run another one tomorrow, and put the new log.

Let’s see if any of this bring some light…

Cheers,

Atis

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Driver Services - Safe List]
YY -> (gsplittm) gsplittm [Kernel | On_Demand | Stopped] -> C:\Documents and Settings\mga\Local Settings\Temp\gsplittm.sys
[Registry - Safe List]
< FireFox Extensions [Program Folders] > -> 
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "" [HKLM] -> Reg Error: Key error. [Reg Error: Value error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2798417395-2383758349-3804553033-1006\] > -> HKEY_USERS\S-1-5-21-2798417395-2383758349-3804553033-1006\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-2798417395-2383758349-3804553033-1006\] > -> HKEY_USERS\S-1-5-21-2798417395-2383758349-3804553033-1006\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{baa4b40e-dc64-11dc-a640-00a0d147e75b} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{baa4b40e-dc64-11dc-a640-00a0d147e75b}\Shell\AutoRun\command -> 
YN -> \{baa4b40e-dc64-11dc-a640-00a0d147e75b}\Shell\AutoRun\command\\"" -> [F:\ooo.exe]
[Registry - Additional Scans - Safe List]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> My Web Search Bar hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
YN -> MyWebSearch Email Plugin hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
YN -> MyWebSearch Plugin hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Thanks essexboy, not only for your advice, but also working on my confidence on this unusual task for me.

Well here is the outcome of last step.

I run OTS, after finishing its job, it prompted me to accept for re-booting in order to apply the full fixing. I accepted but the application remained idle (not stall). I waited some 25 minutes waiting for another prompt or just for the application to close and reboot, but nothing happened. So I did it myself, close OTS and reboot.

No log was generated (I searched also elsewhere in my hard disk after rebooting) and nothing apparently happened (no strange behaviour whatsoever in my laptop). Avast detected again the infection after a few minutes, asked me to delete the malware and here we go again…

Should I rerun OTS with the same code? Maybe the application failed to complete the whole task.

Just incidentally microsoft prompted an error-message in the PCHealth folder of the application data. Just copied it:

EventType : visualstudio7x80update P1 : msiexec.exe P2 : 1.0.1686.5002
P3 : kb2416447 P4 : 1033 P5 : 643 P6 : f P7 : install
P8 : x86 P9 : 5.1.2600.2.3.0.768 P10 : 0

NDP1.1sp1_KB2416447_X86_wrapper.log
version.txt

Don’t suppose it has anything to do.

Well, that’s all. Wondering if it helps.

Cheers,

Atis.

Coudl you run a fresh OTS scan - then I can check to see if the driver was remove

Hi essexboy,

Here is fresh OTS. I’ve run the scan with the same parameters you instructed me yesterday.

Hope you can find there what you look for. Looks to me as a complex task.

http://www.mediafire.com/?hno0wcof6poj9ta

Thanks!

Atis

OK the driver does not want to go quietly - lets call in the big boy. I have never yet had a problem with combofix, and it has plenty of built in safeguards

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.

As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

[*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

[*]Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hi essexboy,

Here is my report after such a thrilling experience. Will try to be explicit and synthetic.

1.- Run ComboFix.

2.- At my own risk did not install the recovery console. To my reading, my reasoning and my (short) knowledge, I trusted more ComboFix
than MS installation of the console. The risk installing the console is removing my whole partitions structure sharing Linux and MS XP. I assumed the
risk of losing my MS system (I have my own restoration CD) with ComboFix, but at least I expected being able to boot with Linux in the worst scenario.

  1. ComboFix apparently did his work. At running I saw it deleting three files and a number of folders (windows system ones, which made me quite uneasy,
    I must confess).

  2. It closed and tried to reboot, but could not alone. As I expected Grub, did not allow it straight. I needed to switch-off and re-start. I was relieved when
    I saw my booting panel in Grub, all intact. I booted XP, and ComboFix retook control. I guess that he checked out the actions taken place after rebooting.
    It generated the log I am enclosing. It also discovered it generated at my root folder a subfolder called Qoobox with two text files “add-removed” files and
    “quarantined”. It includes a subfoled called “quarantine”. Did not want to be killed by curiosity as they say for the cat: I report, but did not open any of them.

  3. Behaviour so far so good. Avast did not turn on after rebooting. For the rest did not appreciated any remarkable change in appeareance on my destop.
    Internet works fine and so does the browser.

Wait for instructions after your checking the log (posted in a second post). Getting more curious about the whole thing, although I confess I was afraid during the experience.

Thanks for you great support !

atis

Combofix log mentioned in my previous post. Atis

http://www.mediafire.com/?3q2k71k379oaqod