svchost - virus or mem leak or ?

Question

Sabre2th 0 Newbie Poster

13 Years Ago

Hello and thank you for the welcome to DaniWeb. I hope that someone can find the time to help me with my xp problems.

The problem is that one of my svchost.exe processes gradually demands more and more ram and cpu which eventually locks up my machine.
I can safely execute that particular svchost and the system stays online but I know that this svchost is also handling the windows audio service which means I get no sound. I have this service set up to restart in the event of a failure which it does do but ofcourse this also starts up that particular svchost, which also controls a handful of other services, and slowly climbs in resources again.
I have disabled as many services as I think I can that this process is controlling using MS' Process Explorer to see which services it handles, disabling individual services and noting change although there are none.
I am baffled by this seeing as this is a fresh install of xp, only a week old, which started exhibiting this behaviour somewhere between windows updates. This leads me to believe that it is not a virus and instead a windows service or system driver that is causing the problems.
I would greatly appreciate this forum's insight into the problem.

Currently I am using msconfig to disable certain services from starting as well as having manually disabled specific services in the administrative tools/services MS application.
Here is a screenshot of the problem process and the services it was running:
http://i1131.photobucket.com/albums/m550/xSabre2th/svchost%20probs/svchostproblem.jpg
I have since changed the services under that svchost and now it runs:
Windows Audio
Background Intelligent Transfer Service
Cryptographic Services
Task Scheduler
Themes
Windows Time
Windows Management Instrumentation
Security Center
Automatic Updates

Any help or hints would be greatly appreciated.
Thankyou

---
Cleaning steps:

ran ms mal soft tool
Trojan: DOS/Alureon.A "Partially removed, manual steps required"

ran atf cleaner
~700 MBs cleaned from main
no firefox files were removed

rebooted into safe mode to disable AV

ran GMER
no initial auto scan and so log one is empty
completed scan and log saved (almost 50K lines of text)

reboot into windows
instructed to re activate windows due to "major changes" (none in fact) to hardware

ran MBAM 1.51.0.1200
found 6 infections
log saved
removed infections
rebooted

read forums while waiting to see if svchost was fixed
30 minutes later svchost is back to 200k ram usage and averaging 10% cpu usage and climbing - not fixed.

ran spybot s&d
immunized browsers
ran search
1 problem in registry keys - security centre disabled (my doing)

re-enabled automatic updates and security centre as this is evidently not the problem

MBAM log:

Malwarebytes' Anti-Malware 1.51.0.1200
[url]www.malwarebytes.org[/url]

Database version: 7114

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

13/07/2011 21:38:40
mbam-log-2011-07-13 (21-38-40).txt

Scan type: Full scan (D:\|)
Objects scanned: 182113
Time elapsed: 38 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DDS.txt log:

.
DDS (Ver_2011-06-23.01) - NTFSx86 
Internet Explorer: 8.0.6001.18702
Run by Sabre2th at 21:44:22 on 2011-07-13
Microsoft Windows XP Home Edition  5.1.2600.3.1252.44.1033.18.2045.1415 [GMT 1:00]
.
FW: COMODO Firewall *Enabled* 
.
============== Running Processes ===============
.
D:\PROGRA~1\AVG\AVG10\avgchsvx.exe
D:\PROGRA~1\AVG\AVG10\avgrsx.exe
D:\windows\system32\Ati2evxx.exe
D:\windows\system32\svchost -k DcomLaunch
svchost.exe
D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
D:\windows\System32\svchost.exe -k netsvcs
D:\windows\system32\Ati2evxx.exe
svchost.exe
svchost.exe
svchost.exe
D:\windows\Explorer.EXE
D:\Program Files\AVG\AVG10\avgwdsvc.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
D:\Program Files\AVG\AVG10\avgnsx.exe
D:\Program Files\AVG\AVG10\avgemcx.exe
D:\windows\RTHDCPL.EXE
D:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\Program Files\AVG\AVG10\avgtray.exe
D:\Program Files\COMODO\COMODO Internet Security\cfp.exe
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\windows\system32\ctfmon.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
D:\windows\System32\svchost.exe -k HTTPFilter
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\IrfanView\i_view32.exe
D:\Program Files\Notepad++\notepad++.exe
\\?\D:\windows\system32\WBEM\WMIADAP.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = my.daemon-search.com
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg10\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - d:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [CTFMON.EXE] d:\windows\system32\ctfmon.exe
mRun: [StartCCC] "d:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "d:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] d:\program files\avg\avg10\avgtray.exe
mRun: [COMODO Internet Security] "d:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [ISUSPM Startup] d:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "d:\program files\common files\installshield\updateservice\issch.exe" -start
dRun: [CTFMON.EXE] d:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-explorer: NoInternetIcon = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoInternetIcon = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{266B92E4-CBA0-4A26-8F67-9E464D0AFE3C} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg10\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: d:\windows\system32\guard32.dll
SecurityProviders: schannel.dll, digest.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\documents and settings\sabre2th\application data\mozilla\firefox\profiles\rdvvc98g.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;d:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;d:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 AppleCharger;AppleCharger;d:\windows\system32\drivers\AppleCharger.sys [2011-7-9 19496]
R1 Avgldx86;AVG AVI Loader Driver;d:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;d:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;d:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;d:\windows\system32\drivers\cmdGuard.sys [2011-6-30 242600]
R1 cmdHlp;COMODO Internet Security Helper Driver;d:\windows\system32\drivers\cmdhlp.sys [2011-6-30 29400]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;d:\windows\system32\drivers\dtsoftbus01.sys [2011-7-11 218688]
R2 AVGIDSAgent;AVGIDSAgent;d:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;d:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 cmdAgent;COMODO Internet Security Helper Service;d:\program files\comodo\comodo internet security\cmdagent.exe [2011-6-30 1793712]
R2 cpuz135;cpuz135;d:\windows\system32\drivers\cpuz135_x32.sys [2011-7-8 21992]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;d:\windows\system32\drivers\AtihdXP3.sys [2011-7-8 101392]
R3 AVGIDSDriver;AVGIDSDriver;d:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
R3 AVGIDSFilter;AVGIDSFilter;d:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;d:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
R3 usbfilter;AMD USB Filter Driver;d:\windows\system32\drivers\usbfilter.sys [2011-7-9 30392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;d:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [2011-7-8 1691480]
S3 MBAMSwissArmy;MBAMSwissArmy;d:\windows\system32\drivers\mbamswissarmy.sys [2011-7-8 39984]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;d:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
.
=============== File Associations ===============
.
.txt=Notepad++_file
.
=============== Created Last 30 ================
.
2011-07-13 15:49:20	--------	d--h--w-	D:\$AVG
2011-07-12 15:24:00	--------	d-----w-	d:\program files\IrfanView
2011-07-12 11:38:37	--------	d-----w-	d:\program files\Process Explorer
2011-07-11 10:25:54	--------	d-----w-	d:\program files\DAMN NFO Viewer
2011-07-11 10:14:59	3786760	----a-w-	d:\windows\system32\D3DX9_37.dll
2011-07-11 10:07:52	218688	----a-w-	d:\windows\system32\drivers\dtsoftbus01.sys
2011-07-11 10:07:33	--------	d-----w-	d:\program files\DAEMON Tools Toolbar
2011-07-11 10:07:03	--------	d-----w-	d:\program files\DAEMON Tools Lite
2011-07-11 10:06:50	--------	d-----w-	d:\documents and settings\sabre2th\application data\DAEMON Tools Lite
2011-07-11 10:06:50	--------	d-----w-	d:\documents and settings\all users\application data\DAEMON Tools Lite
2011-07-10 23:04:07	--------	d-----w-	d:\windows\system32\LogFiles
2011-07-10 23:03:34	--------	d-----w-	d:\documents and settings\sabre2th\application data\Azureus
2011-07-10 23:02:59	--------	d-----w-	d:\program files\Vuze
2011-07-09 14:32:04	--------	d-----w-	d:\windows\pss
2011-07-09 13:21:42	33792	----a-w-	d:\windows\system32\drivers\AmdPPM.sys
2011-07-09 13:06:16	30392	----a-w-	d:\windows\system32\drivers\usbfilter.sys
2011-07-09 13:05:42	--------	d-----w-	d:\program files\AMD
2011-07-09 12:58:36	207400	----a-r-	d:\windows\GSetup.exe
2011-07-08 12:53:09	--------	d-----w-	d:\windows\system32\XPSViewer
2011-07-08 12:52:51	89088	------w-	d:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-07-08 12:52:51	597504	------w-	d:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-07-08 12:52:51	597504	------w-	d:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-07-08 12:52:51	575488	------w-	d:\windows\system32\xpsshhdr.dll
2011-07-08 12:52:51	575488	------w-	d:\windows\system32\dllcache\xpsshhdr.dll
2011-07-08 12:52:51	1676288	------w-	d:\windows\system32\xpssvcs.dll
2011-07-08 12:52:51	1676288	------w-	d:\windows\system32\dllcache\xpssvcs.dll
2011-07-08 12:52:51	117760	------w-	d:\windows\system32\prntvpt.dll
2011-07-08 12:52:50	--------	d-----w-	D:\e77e2f3fec24775c10292954942b6439
2011-07-08 12:50:05	101392	----a-w-	d:\windows\system32\drivers\AtihdXP3.sys
2011-07-08 12:41:40	990208	----a-w-	d:\windows\system32\syssetup.dll
2011-07-08 12:41:40	140288	----a-w-	d:\windows\system32\sfc_os.dll
2011-07-08 12:32:00	--------	d-sh--w-	d:\documents and settings\sabre2th\PrivacIE
2011-07-08 12:27:26	--------	d-----w-	d:\windows\ie8updates
2011-07-08 12:27:17	399872	----a-w-	d:\windows\system32\lmrt.dll
2011-07-08 12:27:17	399872	----a-w-	d:\windows\system32\dllcache\lmrt.dll
2011-07-08 12:27:17	165376	----a-w-	d:\windows\system32\dllcache\datime.dll
2011-07-08 12:27:17	165376	----a-w-	d:\windows\system32\datime.dll
2011-07-08 12:27:17	151040	----a-w-	d:\windows\system32\dllcache\cdfview.dll
2011-07-08 12:27:17	1054208	----a-w-	d:\windows\system32\dllcache\danim.dll
2011-07-08 12:25:41	7680	------w-	d:\windows\system32\dllcache\iecompat.dll
2011-07-08 12:25:36	602112	------w-	d:\windows\system32\dllcache\msfeeds.dll
2011-07-08 12:25:36	55296	------w-	d:\windows\system32\dllcache\msfeedsbs.dll
2011-07-08 12:25:35	12800	------w-	d:\windows\system32\dllcache\xpshims.dll
2011-07-08 12:25:34	743424	------w-	d:\windows\system32\dllcache\iedvtool.dll
2011-07-08 12:25:34	247808	------w-	d:\windows\system32\dllcache\ieproxy.dll
2011-07-08 12:25:34	1991680	------w-	d:\windows\system32\dllcache\iertutil.dll
2011-07-08 12:25:33	11081728	------w-	d:\windows\system32\dllcache\ieframe.dll
2011-07-08 12:24:18	21504	----a-w-	d:\windows\system32\drivers\hidserv.dll
2011-07-08 12:22:44	221184	----a-w-	d:\windows\system32\wmpns.dll
2011-07-08 12:22:25	--------	d-sh--w-	d:\documents and settings\sabre2th\IETldCache
2011-07-08 12:22:21	--------	d-sh--w-	d:\documents and settings\all users\DRM
2011-07-08 12:22:08	--------	d-----w-	d:\windows\system32\wbem\snmp
2011-07-08 12:22:08	--------	d-----w-	d:\windows\system32\spool
2011-07-08 12:22:07	--------	d-----w-	d:\windows\system32\xircom
2011-07-08 12:22:07	--------	d-----w-	d:\program files\msn gaming zone
2011-07-08 12:14:58	52224	------w-	d:\windows\system32\dllcache\mspmsnsv.dll
2011-07-08 12:08:26	--------	d-----w-	d:\windows\ServicePackFiles
2011-07-08 12:08:06	774144	------w-	d:\program files\windows media player\setup_wm.exe
2011-07-08 12:08:06	73728	------w-	d:\program files\windows media player\wmplayer.exe
2011-07-08 12:08:06	4639	------w-	d:\program files\windows media player\mplayer2.exe
2011-07-08 12:08:06	364544	------w-	d:\program files\windows media player\npdsplay.dll
2011-07-08 12:08:06	294912	------w-	d:\program files\windows media player\dlimport.exe
2011-07-08 12:08:06	226816	------w-	d:\program files\windows media player\npdrmv2.dll
2011-07-08 12:08:06	10240	------w-	d:\program files\windows media player\npwmsdrm.dll
2011-07-08 12:06:57	87040	------w-	d:\windows\system32\drmstor.dll
2011-07-08 12:05:26	152064	------w-	d:\windows\system32\shmedia.dll
2011-07-08 12:04:59	809984	------w-	d:\windows\system32\wmvdmod.dll
2011-07-08 12:03:40	19569	----a-w-	d:\windows\002177_.tmp
2011-07-08 12:03:34	--------	d-----w-	d:\windows\system32\ReinstallBackups
2011-07-08 11:59:03	--------	d-----w-	d:\windows\EHome
2011-07-08 11:48:23	--------	d-----w-	d:\windows\Offline Web Pages
2011-07-08 11:46:19	--------	dc-h--w-	d:\windows\ie8
2011-07-08 11:26:52	--------	d-----w-	D:\4a35bf9a96c5f85cbcb0c8
2011-07-08 11:18:26	272128	------w-	d:\windows\system32\dllcache\bthport.sys
2011-07-08 11:18:19	353792	------w-	d:\windows\system32\dllcache\srv.sys
2011-07-08 11:18:12	81920	------w-	d:\windows\system32\dllcache\fontsub.dll
2011-07-08 11:18:12	119808	------w-	d:\windows\system32\dllcache\t2embed.dll
2011-07-08 11:18:11	203136	------w-	d:\windows\system32\dllcache\rmcast.sys
2011-07-08 11:18:03	331776	------w-	d:\windows\system32\dllcache\msadce.dll
2011-07-08 11:18:00	455680	------w-	d:\windows\system32\dllcache\mrxsmb.sys
2011-07-08 10:50:58	--------	d-----w-	d:\windows\Downloaded Program Files
2011-07-08 10:50:05	--------	d-----w-	d:\documents and settings\sabre2th\application data\.minecraft
2011-07-08 10:49:22	--------	d-----w-	D:\Minecraft
2011-07-08 10:45:59	293376	------w-	d:\windows\system32\browserchoice.exe
2011-07-08 10:45:41	--------	d-----w-	d:\program files\StarCraft II
2011-07-08 10:45:41	--------	d-----w-	d:\program files\common files\Blizzard Entertainment
2011-07-08 10:45:41	--------	d-----w-	d:\documents and settings\all users\application data\Blizzard Entertainment
2011-07-08 10:44:45	337408	------w-	d:\windows\system32\dllcache\netapi32.dll
2011-07-08 10:44:37	1172480	------w-	d:\windows\system32\dllcache\msxml3.dll
2011-07-08 10:44:13	2560	------w-	d:\windows\system32\xpsp4res.dll
2011-07-08 10:44:13	215552	------w-	d:\windows\system32\dllcache\wordpad.exe
2011-07-08 10:40:40	--------	d-----w-	d:\documents and settings\sabre2th\local settings\application data\ATI
2011-07-08 10:40:29	--------	d-----w-	d:\windows\system32\Lang
2011-07-08 10:25:30	--------	d-----w-	d:\documents and settings\sabre2th\application data\Malwarebytes
2011-07-08 10:25:25	39984	----a-w-	d:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 10:25:25	--------	d-----w-	d:\documents and settings\all users\application data\Malwarebytes
2011-07-08 10:25:22	22712	----a-w-	d:\windows\system32\drivers\mbam.sys
2011-07-08 10:25:22	--------	d-----w-	d:\program files\Malwarebytes' Anti-Malware
2011-07-08 10:21:27	--------	d-----w-	d:\program files\COMODO
2011-07-08 10:21:02	--------	d-----w-	d:\documents and settings\sabre2th\application data\AVG10
2011-07-08 10:19:58	--------	d-----w-	d:\windows\system32\PreInstall
2011-07-08 10:19:55	--------	d--h--w-	d:\windows\$hf_mig$
2011-07-08 10:19:39	--------	d-----w-	d:\windows\system32\drivers\AVG
2011-07-08 10:19:39	--------	d-----w-	d:\documents and settings\all users\application data\AVG10
2011-07-08 10:19:29	--------	d-----w-	d:\program files\AVG
2011-07-08 10:19:11	--------	d-----w-	d:\documents and settings\all users\application data\Comodo
2011-07-08 10:18:50	--------	d-----w-	d:\documents and settings\all users\application data\Comodo Downloader
2011-07-08 10:18:09	73728	----a-w-	d:\windows\system32\javacpl.cpl
2011-07-08 10:18:09	472808	----a-w-	d:\windows\system32\deployJava1.dll
2011-07-08 10:17:18	21992	----a-w-	d:\windows\system32\drivers\cpuz135_x32.sys
2011-07-08 10:17:18	--------	d-----w-	d:\program files\CPUID
2011-07-08 10:16:16	--------	d-----w-	d:\windows\system32\SoftwareDistribution
2011-07-08 10:15:37	81936	----a-w-	d:\windows\system32\RtNicProp32.dll
2011-07-08 10:15:37	277352	----a-w-	d:\windows\system32\drivers\Rtenicxp.sys
2011-07-08 10:15:37	102416	----a-w-	d:\windows\system32\RTNUninst32.dll
2011-07-08 10:15:13	404640	----a-w-	d:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-08 10:14:47	--------	d-----w-	d:\program files\Spybot - Search & Destroy
2011-07-08 10:14:47	--------	d-----w-	d:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-07-08 10:13:59	--------	d-----w-	d:\program files\Wise Registry Cleaner
2011-07-08 10:13:16	--------	d-----w-	d:\program files\Wise Disk Cleaner
2011-07-08 10:12:42	--------	d-----w-	d:\program files\Auslogics
2011-07-08 10:10:47	610436	----a-w-	d:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
2011-07-08 10:09:59	9721960	----a-w-	d:\windows\RTLCPL.EXE
2011-07-08 10:08:48	--------	d--h--w-	d:\documents and settings\all users\application data\Common Files
2011-07-08 10:08:35	--------	d-----w-	d:\documents and settings\all users\application data\MFAData
2011-07-08 10:05:35	--------	d-----w-	d:\program files\ATI Technologies
2011-07-08 10:04:52	--------	d-----w-	D:\ATI
2011-07-08 10:01:19	--------	d-----w-	D:\Backup
.
==================== Find3M  ====================
.
2011-07-08 10:07:29	0	----a-w-	d:\windows\ativpsrm.bin
2011-06-30 08:38:14	29400	----a-w-	d:\windows\system32\drivers\cmdhlp.sys
2011-06-30 08:38:14	242600	----a-w-	d:\windows\system32\drivers\cmdGuard.sys
2011-06-30 08:38:12	17416	----a-w-	d:\windows\system32\drivers\cmderd.sys
2011-06-30 08:37:26	285256	----a-w-	d:\windows\system32\guard32.dll
2011-05-25 04:21:44	6554624	----a-w-	d:\windows\system32\drivers\ati2mtag.sys
2011-05-25 04:15:14	311296	----a-w-	d:\windows\system32\atiiiexx.dll
2011-05-25 03:53:14	57344	----a-w-	d:\windows\system32\aticalrt.dll
2011-05-25 03:53:06	53248	----a-w-	d:\windows\system32\aticalcl.dll
2011-05-25 03:47:42	17989632	----a-w-	d:\windows\system32\atioglxx.dll
2011-05-25 03:42:42	5922816	----a-w-	d:\windows\system32\aticaldd.dll
2011-05-25 03:14:06	4059328	----a-w-	d:\windows\system32\ati3duag.dll
2011-05-25 03:07:40	956160	----a-w-	d:\windows\system32\ativvamv.dll
2011-05-25 03:05:18	503808	----a-w-	d:\windows\system32\atiok3x2.dll
2011-05-25 02:58:28	53248	----a-w-	d:\windows\system32\drivers\ati2erec.dll
2011-05-25 02:56:58	462848	----a-w-	d:\windows\system32\ATIDEMGX.dll
2011-05-25 02:55:58	302592	----a-w-	d:\windows\system32\ati2dvag.dll
2011-05-25 02:54:56	3152384	----a-w-	d:\windows\system32\ativvaxx.dll
2011-05-25 02:39:28	212992	----a-w-	d:\windows\system32\atipdlxx.dll
2011-05-25 02:39:16	155648	----a-w-	d:\windows\system32\Oemdspif.dll
2011-05-25 02:39:08	26112	----a-w-	d:\windows\system32\Ati2mdxx.exe
2011-05-25 02:39:00	43520	----a-w-	d:\windows\system32\ati2edxx.dll
2011-05-25 02:38:52	64512	----a-w-	d:\windows\system32\atimpc32.dll
2011-05-25 02:38:52	64512	----a-w-	d:\windows\system32\amdpcom32.dll
2011-05-25 02:38:50	188416	----a-w-	d:\windows\system32\ati2evxx.dll
2011-05-25 02:37:34	643072	----a-w-	d:\windows\system32\ati2evxx.exe
2011-05-25 02:36:10	53248	----a-w-	d:\windows\system32\ATIDDC.DLL
2011-05-25 02:34:52	151552	----a-w-	d:\windows\system32\atiapfxx.exe
2011-05-25 02:31:28	651264	----a-w-	d:\windows\system32\atikvmag.dll
2011-05-25 02:27:52	200704	----a-w-	d:\windows\system32\atiadlxx.dll
2011-05-25 02:27:36	17408	----a-w-	d:\windows\system32\atitvo32.dll
2011-05-25 02:22:34	856064	----a-w-	d:\windows\system32\ati2cqag.dll
2011-05-10 10:24:24	6406760	----a-w-	d:\windows\system32\drivers\RtkHDAud.sys
2011-05-10 09:17:50	58984	----a-w-	d:\windows\system32\RtkCoInstXP.dll
2011-04-25 16:11:12	916480	----a-w-	d:\windows\system32\wininet.dll
2011-04-25 16:11:11	43520	------w-	d:\windows\system32\licmgr10.dll
2011-04-25 16:11:11	1469440	----a-w-	d:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22	385024	------w-	d:\windows\system32\html.iec
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600AAJS-00L7A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A6624D0]<< 
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a6687d0]; MOV EAX, [0x8a66884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX;  }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A6EDAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000066[0x8A6D1CB0]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A6F8D98]
\Driver\atapi[0x8A6ED9C0] -> IRP_MJ_CREATE -> 0x8A6624D0
error: Read  A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a;  }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A66231B
user & kernel MBR OK 
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:46:16.51 ===============

The GMER log is almost 50k lines so posting it seems a little rediculous, although, running it in safe mode will problem not see the problem as I noticed that no svchost was being naughty when in safe mode. If needed, I will uninstall AVG and re-scan.
Anyway, I have it zipped ready to attach if requested along with the attach.txt log

windows-virus

2 Contributors
11 Replies
409 Views
1 Day Discussion Span
Latest Post 13 Years Ago Latest Post by jholland1964

jholland1964 650 Posting Expert

13 Years Ago

I ask that you please don't disable or re-enable standard operating files during the clean up. By doing so you could make the scanners not see what they need to see or see something they need not worry about. So Please leave your security center and that type of thing alone. Also, if files are running, let them run, please do not do any manual stopping or anything else like that unless it is requested, ok?

You ARE aware that the COMODO Internet Security program is a FULL security suite aren't you? It contains both and anti-virus program and a firewall. This means you are running TWO anti-virus programs, which is a no-no. Plus, AVG is certainly not one of my favorites, but that is neither here nor there right now. You do have two anti-virus programs installed there.

You also did not post the Attach.txt log from the DDS Scanner and we DO need to see this. Please copy/paste that here also. Also please just copy/paste the logs directly into the posts, no need to put them into text boxes.

There is a rootkit on the system, which is evident by the findings of the Windows Malicious Software Removal tool and the DDS scanner, both of which have the notation of TDL3/Alureon rootkit.

Now, let's get rid of that rootkit. Please do the following and post back with the log.
Please read carefully and follow these steps.

* Download TDSSKiller and save it to your Desktop.

http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Extract its contents to your desktop.
* Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

* If an infected file is detected, the default action will be Cure, click on Continue.

* If a suspicious file is detected, the default action will be Skip, click on Continue.

* It may ask you to reboot the computer to complete the process. Click on Reboot Now.

* If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.

* If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Edited 13 Years Ago by jholland1964 because: n/a

jholland1964 650 Posting Expert

13 Years Ago

Daemon Tools Lite is fine as far as I can see. Azureus - now called Vuze is a Bittorrent Client and is a P2P program. Absolutely the easiest way to get serious infections, without a doubt.
Anything you may have already downloaded with it would also be very suspect and should also be removed.
Also uninstall Auslogics Registry Cleaner. There is absolutely no reason whatsoever to ever use a registry cleaner.

Uninstall this and leave it off the computer, if you want to keep a clean computer.
You now need to Update MBA-M and run another Full Scan with it. Have it remove everything found and Reboot.
Post back here with the new log.

After that then do the following:
Please run the ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14

* You can use Internet Explorer to complete this scan and you will need to allow an Active X to be installed or you may use Firefox
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Post back with that log also.

Edited 13 Years Ago by jholland1964 because: n/a

jholland1964 650 Posting Expert

13 Years Ago

I meant avast. They have some good boasts on their site.

Avast is an excellent antivirus program. Highly recommended and has very high ratings on independent testing also. Wait until you are certain the system is clean however before changing your av program. You don't want to damage a new program. Once it's clean you can remove AVG, which DOESN'T rank very high and go with Avast.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Sabre2th 0 Newbie Poster · Answer 1 · 2011-07-14T09:35:47+00:00

I ask that you please don't disable or re-enable standard operating files during the clean up. By doing so you could make the scanners not see what they need to see or see something they need not worry about. So Please leave your security center and that type of thing alone. Also, if files are running, let them run, please do not do any manual stopping or anything else like that unless it is requested, ok?

I will leave them as I stated in the first post but I have to kill svchost occasionally; to maintain functionality. For scans I will have to make sure the perpetrating process is running.

You ARE aware that the COMODO Internet Security program is a FULL security suite aren't you? It contains both and anti-virus program and a firewall. This means you are running TWO anti-virus programs, which is a no-no. Plus, AVG is certainly not one of my favorites, but that is neither here nor there right now. You do have two anti-virus programs installed there.

This version is specifically COMODO Firewall and only a firewall, I thought myself lucky to find it. I am also open to AV recommendations. I noticed on the forum Avanti was mentioned to be in the top of them.

TDSSKiller.2.5.11.0_14.07.2011_03.31.43_log.txt
2011/07/14 03:31:43.0140 1880 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/14 03:31:43.0500 1880 ================================================================================
2011/07/14 03:31:43.0500 1880 SystemInfo:
2011/07/14 03:31:43.0500 1880
2011/07/14 03:31:43.0500 1880 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/14 03:31:43.0500 1880 Product type: Workstation
2011/07/14 03:31:43.0500 1880 ComputerName: SUFFICIENT
2011/07/14 03:31:43.0500 1880 UserName: Sabre2th
2011/07/14 03:31:43.0500 1880 Windows directory: D:\windows
2011/07/14 03:31:43.0500 1880 System windows directory: D:\windows
2011/07/14 03:31:43.0500 1880 Processor architecture: Intel x86
2011/07/14 03:31:43.0500 1880 Number of processors: 2
2011/07/14 03:31:43.0500 1880 Page size: 0x1000
2011/07/14 03:31:43.0500 1880 Boot type: Normal boot
2011/07/14 03:31:43.0500 1880 ================================================================================
2011/07/14 03:31:46.0796 1880 Initialize success
2011/07/14 03:31:56.0937 2816 ================================================================================
2011/07/14 03:31:56.0937 2816 Scan started
2011/07/14 03:31:56.0937 2816 Mode: Manual;
2011/07/14 03:31:56.0937 2816 ================================================================================
2011/07/14 03:31:59.0812 2816 ACPI (8fd99680a539792a30e97944fdaecf17) D:\windows\system32\DRIVERS\ACPI.sys
2011/07/14 03:32:00.0625 2816 ACPIEC (9859c0f6936e723e4892d7141b1327d5) D:\windows\system32\drivers\ACPIEC.sys
2011/07/14 03:32:01.0656 2816 aec (8bed39e3c35d6a489438b8141717a557) D:\windows\system32\drivers\aec.sys
2011/07/14 03:32:02.0500 2816 AFD (7e775010ef291da96ad17ca4b17137d7) D:\windows\System32\drivers\afd.sys
2011/07/14 03:32:04.0031 2816 Ambfilt (267fc636801edc5ab28e14036349e3be) D:\windows\system32\drivers\Ambfilt.sys
2011/07/14 03:32:04.0859 2816 AmdPPM (033448d435e65c4bd72e70521fd05c76) D:\windows\system32\DRIVERS\AmdPPM.sys
2011/07/14 03:32:05.0609 2816 AppleCharger (75a8b998eb259dd512f01ea25bec7f3b) D:\windows\system32\DRIVERS\AppleCharger.sys
2011/07/14 03:32:06.0406 2816 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) D:\windows\system32\DRIVERS\asyncmac.sys
2011/07/14 03:32:07.0140 2816 atapi (9f3a2f5aa6875c72bf062c712cfa2674) D:\windows\system32\DRIVERS\atapi.sys
2011/07/14 03:32:08.0843 2816 ati2mtag (23f1a61ae7553d086ef264c72afc4e6a) D:\windows\system32\DRIVERS\ati2mtag.sys
2011/07/14 03:32:09.0765 2816 AtiHDAudioService (0d6b8359677d05142b624f09c28d643a) D:\windows\system32\drivers\AtihdXP3.sys
2011/07/14 03:32:10.0609 2816 Atmarpc (9916c1225104ba14794209cfa8012159) D:\windows\system32\DRIVERS\atmarpc.sys
2011/07/14 03:32:11.0375 2816 audstub (d9f724aa26c010a217c97606b160ed68) D:\windows\system32\DRIVERS\audstub.sys
2011/07/14 03:32:12.0187 2816 AVGIDSDriver (c403e7f715bb0a851a9dfae16ec4ae42) D:\windows\system32\DRIVERS\AVGIDSDriver.Sys
2011/07/14 03:32:12.0953 2816 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) D:\windows\system32\DRIVERS\AVGIDSEH.Sys
2011/07/14 03:32:13.0734 2816 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) D:\windows\system32\DRIVERS\AVGIDSFilter.Sys
2011/07/14 03:32:14.0500 2816 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) D:\windows\system32\DRIVERS\AVGIDSShim.Sys
2011/07/14 03:32:15.0312 2816 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) D:\windows\system32\DRIVERS\avgldx86.sys
2011/07/14 03:32:16.0046 2816 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) D:\windows\system32\DRIVERS\avgmfx86.sys
2011/07/14 03:32:16.0812 2816 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) D:\windows\system32\DRIVERS\avgrkx86.sys
2011/07/14 03:32:17.0640 2816 Avgtdix (aaf0ebcad95f2164cffb544e00392498) D:\windows\system32\DRIVERS\avgtdix.sys
2011/07/14 03:32:18.0437 2816 Beep (da1f27d85e0d1525f6621372e7b685e9) D:\windows\system32\drivers\Beep.sys
2011/07/14 03:32:19.0265 2816 Cdaudio (c1b486a7658353d33a10cc15211a873b) D:\windows\system32\drivers\Cdaudio.sys
2011/07/14 03:32:20.0031 2816 Cdfs (c885b02847f5d2fd45a24e219ed93b32) D:\windows\system32\drivers\Cdfs.sys
2011/07/14 03:32:20.0875 2816 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) D:\windows\system32\DRIVERS\cdrom.sys
2011/07/14 03:32:22.0421 2816 cmdGuard (251f906328af49e7927a1ad12b543a2f) D:\windows\system32\DRIVERS\cmdguard.sys
2011/07/14 03:32:23.0218 2816 cmdHlp (207f06d08afcdd3bbc801eab1a845cfb) D:\windows\system32\DRIVERS\cmdhlp.sys
2011/07/14 03:32:24.0750 2816 cpuz135 (c2eb4539a4f6ab6edd01bdc191619975) D:\windows\system32\drivers\cpuz135_x32.sys
2011/07/14 03:32:25.0593 2816 Disk (044452051f3e02e7963599fc8f4f3e25) D:\windows\system32\DRIVERS\disk.sys
2011/07/14 03:32:26.0421 2816 dmboot (d992fe1274bde0f84ad826acae022a41) D:\windows\system32\drivers\dmboot.sys
2011/07/14 03:32:27.0203 2816 dmio (7c824cf7bbde77d95c08005717a95f6f) D:\windows\system32\drivers\dmio.sys
2011/07/14 03:32:28.0093 2816 dmload (e9317282a63ca4d188c0df5e09c6ac5f) D:\windows\system32\drivers\dmload.sys
2011/07/14 03:32:28.0875 2816 DMusic (8a208dfcf89792a484e76c40e5f50b45) D:\windows\system32\drivers\DMusic.sys
2011/07/14 03:32:29.0656 2816 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) D:\windows\system32\drivers\drmkaud.sys
2011/07/14 03:32:30.0500 2816 dtsoftbus01 (555e54ac2f601a8821cef58961653991) D:\windows\system32\DRIVERS\dtsoftbus01.sys
2011/07/14 03:32:31.0625 2816 Fastfat (38d332a6d56af32635675f132548343e) D:\windows\system32\drivers\Fastfat.sys
2011/07/14 03:32:32.0406 2816 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) D:\windows\system32\DRIVERS\fdc.sys
2011/07/14 03:32:33.0218 2816 Fips (d45926117eb9fa946a6af572fbe1caa3) D:\windows\system32\drivers\Fips.sys
2011/07/14 03:32:33.0984 2816 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) D:\windows\system32\DRIVERS\flpydisk.sys
2011/07/14 03:32:34.0828 2816 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) D:\windows\system32\drivers\fltmgr.sys
2011/07/14 03:32:35.0593 2816 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) D:\windows\system32\drivers\Fs_Rec.sys
2011/07/14 03:32:36.0390 2816 Ftdisk (6ac26732762483366c3969c9e4d2259d) D:\windows\system32\DRIVERS\ftdisk.sys
2011/07/14 03:32:37.0156 2816 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) D:\windows\system32\DRIVERS\msgpc.sys
2011/07/14 03:32:37.0921 2816 HDAudBus (573c7d0a32852b48f3058cfd8026f511) D:\windows\system32\DRIVERS\HDAudBus.sys
2011/07/14 03:32:38.0734 2816 hidusb (ccf82c5ec8a7326c3066de870c06daf1) D:\windows\system32\DRIVERS\hidusb.sys
2011/07/14 03:32:39.0531 2816 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) D:\windows\system32\Drivers\HTTP.sys
2011/07/14 03:32:40.0375 2816 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) D:\windows\system32\DRIVERS\i8042prt.sys
2011/07/14 03:32:41.0140 2816 Imapi (083a052659f5310dd8b6a6cb05edcf8e) D:\windows\system32\DRIVERS\imapi.sys
2011/07/14 03:32:41.0953 2816 Inspect (c9953067b2c9e3d3dd44ec22d1e0815a) D:\windows\system32\DRIVERS\inspect.sys
2011/07/14 03:32:42.0828 2816 IntcAzAudAddService (7a1d5e631fa803beb2ee85e0774d48e3) D:\windows\system32\drivers\RtkHDAud.sys
2011/07/14 03:32:44.0500 2816 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) D:\windows\system32\drivers\ip6fw.sys
2011/07/14 03:32:45.0281 2816 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) D:\windows\system32\DRIVERS\ipfltdrv.sys
2011/07/14 03:32:46.0031 2816 IpInIp (b87ab476dcf76e72010632b5550955f5) D:\windows\system32\DRIVERS\ipinip.sys
2011/07/14 03:32:46.0890 2816 IpNat (cc748ea12c6effde940ee98098bf96bb) D:\windows\system32\DRIVERS\ipnat.sys
2011/07/14 03:32:47.0656 2816 IPSec (23c74d75e36e7158768dd63d92789a91) D:\windows\system32\DRIVERS\ipsec.sys
2011/07/14 03:32:48.0484 2816 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) D:\windows\system32\DRIVERS\irenum.sys
2011/07/14 03:32:49.0250 2816 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) D:\windows\system32\DRIVERS\isapnp.sys
2011/07/14 03:32:50.0031 2816 Kbdclass (463c1ec80cd17420a542b7f36a36f128) D:\windows\system32\DRIVERS\kbdclass.sys
2011/07/14 03:32:50.0765 2816 kbdhid (9ef487a186dea361aa06913a75b3fa99) D:\windows\system32\DRIVERS\kbdhid.sys
2011/07/14 03:32:51.0609 2816 kmixer (692bcf44383d056aed41b045a323d378) D:\windows\system32\drivers\kmixer.sys
2011/07/14 03:32:52.0390 2816 KSecDD (b467646c54cc746128904e1654c750c1) D:\windows\system32\drivers\KSecDD.sys
2011/07/14 03:32:53.0937 2816 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) D:\windows\system32\drivers\mbamswissarmy.sys
2011/07/14 03:32:54.0718 2816 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) D:\windows\system32\drivers\Modem.sys
2011/07/14 03:32:55.0593 2816 Monfilt (c7d9f9717916b34c1b00dd4834af485c) D:\windows\system32\drivers\Monfilt.sys
2011/07/14 03:32:56.0390 2816 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) D:\windows\system32\DRIVERS\mouclass.sys
2011/07/14 03:32:57.0187 2816 mouhid (b1c303e17fb9d46e87a98e4ba6769685) D:\windows\system32\DRIVERS\mouhid.sys
2011/07/14 03:32:57.0953 2816 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) D:\windows\system32\drivers\MountMgr.sys
2011/07/14 03:32:58.0765 2816 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) D:\windows\system32\DRIVERS\mrxdav.sys
2011/07/14 03:32:59.0546 2816 MRxSmb (f3aefb11abc521122b67095044169e98) D:\windows\system32\DRIVERS\mrxsmb.sys
2011/07/14 03:33:00.0484 2816 Msfs (c941ea2454ba8350021d774daf0f1027) D:\windows\system32\drivers\Msfs.sys
2011/07/14 03:33:06.0234 2816 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) D:\windows\system32\drivers\MSKSSRV.sys
2011/07/14 03:33:08.0015 2816 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) D:\windows\system32\drivers\MSPCLOCK.sys
2011/07/14 03:33:09.0609 2816 MSPQM (bad59648ba099da4a17680b39730cb3d) D:\windows\system32\drivers\MSPQM.sys
2011/07/14 03:33:10.0390 2816 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) D:\windows\system32\DRIVERS\mssmbios.sys
2011/07/14 03:33:11.0359 2816 Mup (2f625d11385b1a94360bfc70aaefdee1) D:\windows\system32\drivers\Mup.sys
2011/07/14 03:33:12.0546 2816 NDIS (1df7f42665c94b825322fae71721130d) D:\windows\system32\drivers\NDIS.sys
2011/07/14 03:33:13.0296 2816 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) D:\windows\system32\DRIVERS\ndistapi.sys
2011/07/14 03:33:14.0078 2816 Ndisuio (f927a4434c5028758a842943ef1a3849) D:\windows\system32\DRIVERS\ndisuio.sys
2011/07/14 03:33:14.0921 2816 NdisWan (edc1531a49c80614b2cfda43ca8659ab) D:\windows\system32\DRIVERS\ndiswan.sys
2011/07/14 03:33:15.0703 2816 NDProxy (6215023940cfd3702b46abc304e1d45a) D:\windows\system32\drivers\NDProxy.sys
2011/07/14 03:33:16.0515 2816 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) D:\windows\system32\DRIVERS\netbios.sys
2011/07/14 03:33:17.0296 2816 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) D:\windows\system32\DRIVERS\netbt.sys
2011/07/14 03:33:18.0093 2816 Npfs (3182d64ae053d6fb034f44b6def8034a) D:\windows\system32\drivers\Npfs.sys
2011/07/14 03:33:18.0937 2816 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) D:\windows\system32\drivers\Ntfs.sys
2011/07/14 03:33:19.0781 2816 NuidFltr (cf7e041663119e09d2e118521ada9300) D:\windows\system32\DRIVERS\NuidFltr.sys
2011/07/14 03:33:20.0578 2816 Null (73c1e1f395918bc2c6dd67af7591a3ad) D:\windows\system32\drivers\Null.sys
2011/07/14 03:33:21.0390 2816 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) D:\windows\system32\DRIVERS\nwlnkflt.sys
2011/07/14 03:33:22.0140 2816 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) D:\windows\system32\DRIVERS\nwlnkfwd.sys
2011/07/14 03:33:22.0921 2816 Parport (5575faf8f97ce5e713d108c2a58d7c7c) D:\windows\system32\DRIVERS\parport.sys
2011/07/14 03:33:23.0734 2816 PartMgr (beb3ba25197665d82ec7065b724171c6) D:\windows\system32\drivers\PartMgr.sys
2011/07/14 03:33:24.0515 2816 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) D:\windows\system32\drivers\ParVdm.sys
2011/07/14 03:33:25.0359 2816 PCI (a219903ccf74233761d92bef471a07b1) D:\windows\system32\DRIVERS\pci.sys
2011/07/14 03:33:26.0843 2816 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) D:\windows\system32\DRIVERS\pciide.sys
2011/07/14 03:33:27.0687 2816 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) D:\windows\system32\drivers\Pcmcia.sys
2011/07/14 03:33:31.0609 2816 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) D:\windows\system32\DRIVERS\raspptp.sys
2011/07/14 03:33:32.0515 2816 Processor (a32bebaf723557681bfc6bd93e98bd26) D:\windows\system32\DRIVERS\processr.sys
2011/07/14 03:33:33.0328 2816 PSched (09298ec810b07e5d582cb3a3f9255424) D:\windows\system32\DRIVERS\psched.sys
2011/07/14 03:33:34.0109 2816 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) D:\windows\system32\DRIVERS\ptilink.sys
2011/07/14 03:33:34.0953 2816 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) D:\windows\system32\DRIVERS\rasacd.sys
2011/07/14 03:33:35.0750 2816 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) D:\windows\system32\DRIVERS\rasl2tp.sys
2011/07/14 03:33:36.0609 2816 RasPppoe (5bc962f2654137c9909c3d4603587dee) D:\windows\system32\DRIVERS\raspppoe.sys
2011/07/14 03:33:37.0406 2816 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) D:\windows\system32\DRIVERS\raspti.sys
2011/07/14 03:33:38.0203 2816 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) D:\windows\system32\DRIVERS\rdbss.sys
2011/07/14 03:33:39.0000 2816 RDPCDD (4912d5b403614ce99c28420f75353332) D:\windows\system32\DRIVERS\RDPCDD.sys
2011/07/14 03:33:39.0890 2816 RDPWD (6728e45b66f93c08f11de2e316fc70dd) D:\windows\system32\drivers\RDPWD.sys
2011/07/14 03:33:40.0703 2816 redbook (f828dd7e1419b6653894a8f97a0094c5) D:\windows\system32\DRIVERS\redbook.sys
2011/07/14 03:33:41.0593 2816 RTLE8023xp (1323ba3ca4e8d863eb00cd81c0aaf356) D:\windows\system32\DRIVERS\Rtenicxp.sys
2011/07/14 03:33:42.0406 2816 Secdrv (90a3935d05b494a5a39d37e71f09a677) D:\windows\system32\DRIVERS\secdrv.sys
2011/07/14 03:33:43.0187 2816 serenum (0f29512ccd6bead730039fb4bd2c85ce) D:\windows\system32\DRIVERS\serenum.sys
2011/07/14 03:33:44.0000 2816 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) D:\windows\system32\DRIVERS\serial.sys
2011/07/14 03:33:44.0859 2816 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) D:\windows\system32\drivers\Sfloppy.sys
2011/07/14 03:33:46.0390 2816 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) D:\windows\system32\drivers\splitter.sys
2011/07/14 03:33:47.0125 2816 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) D:\windows\system32\DRIVERS\sr.sys
2011/07/14 03:33:47.0937 2816 Srv (89220b427890aa1dffd1a02648ae51c3) D:\windows\system32\DRIVERS\srv.sys
2011/07/14 03:33:48.0718 2816 swenum (3941d127aef12e93addf6fe6ee027e0f) D:\windows\system32\DRIVERS\swenum.sys
2011/07/14 03:33:49.0593 2816 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) D:\windows\system32\drivers\swmidi.sys
2011/07/14 03:33:50.0390 2816 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) D:\windows\system32\drivers\sysaudio.sys
2011/07/14 03:33:51.0265 2816 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) D:\windows\system32\DRIVERS\tcpip.sys
2011/07/14 03:33:52.0125 2816 TDPIPE (6471a66807f5e104e4885f5b67349397) D:\windows\system32\drivers\TDPIPE.sys
2011/07/14 03:33:52.0921 2816 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) D:\windows\system32\drivers\TDTCP.sys
2011/07/14 03:33:53.0781 2816 TermDD (88155247177638048422893737429d9e) D:\windows\system32\DRIVERS\termdd.sys
2011/07/14 03:33:55.0359 2816 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) D:\windows\system32\drivers\Udfs.sys
2011/07/14 03:33:56.0265 2816 Update (402ddc88356b1bac0ee3dd1580c76a31) D:\windows\system32\DRIVERS\update.sys
2011/07/14 03:33:57.0093 2816 usbccgp (173f317ce0db8e21322e71b7e60a27e8) D:\windows\system32\DRIVERS\usbccgp.sys
2011/07/14 03:33:57.0953 2816 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) D:\windows\system32\DRIVERS\usbehci.sys
2011/07/14 03:33:58.0765 2816 usbfilter (e5b14557793164db879ee56f5b59c3e2) D:\windows\system32\DRIVERS\usbfilter.sys
2011/07/14 03:33:59.0609 2816 usbhub (1ab3cdde553b6e064d2e754efe20285c) D:\windows\system32\DRIVERS\usbhub.sys
2011/07/14 03:34:00.0406 2816 usbohci (0daecce65366ea32b162f85f07c6753b) D:\windows\system32\DRIVERS\usbohci.sys
2011/07/14 03:34:01.0171 2816 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) D:\windows\System32\drivers\vga.sys
2011/07/14 03:34:02.0750 2816 VolSnap (4c8fcb5cc53aab716d810740fe59d025) D:\windows\system32\drivers\VolSnap.sys
2011/07/14 03:34:03.0562 2816 Wanarp (e20b95baedb550f32dd489265c1da1f6) D:\windows\system32\DRIVERS\wanarp.sys
2011/07/14 03:34:04.0406 2816 Wdf01000 (fd47474bd21794508af449d9d91af6e6) D:\windows\system32\DRIVERS\Wdf01000.sys
2011/07/14 03:34:05.0906 2816 wdmaud (6768acf64b18196494413695f0c3a00f) D:\windows\system32\drivers\wdmaud.sys
2011/07/14 03:34:06.0750 2816 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) D:\windows\system32\DRIVERS\wmiacpi.sys
2011/07/14 03:34:06.0812 2816 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/07/14 03:34:06.0828 2816 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/07/14 03:34:06.0828 2816 Boot (0x1200) (15290f23ca57d4e8bc29020059344879) \Device\Harddisk0\DR0\Partition0
2011/07/14 03:34:06.0843 2816 ================================================================================
2011/07/14 03:34:06.0843 2816 Scan finished
2011/07/14 03:34:06.0843 2816 ================================================================================
2011/07/14 03:34:06.0859 0588 Detected object count: 1
2011/07/14 03:34:06.0859 0588 Actual detected object count: 1
2011/07/14 03:34:17.0578 0588 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/07/14 03:34:17.0578 0588 \Device\Harddisk0\DR0 - ok
2011/07/14 03:34:17.0578 0588 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/07/14 03:34:30.0687 1996 Deinitialize success

Attach.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 7/8/2011 6:59:32 AM
System Uptime: 7/13/2011 9:39:45 PM (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | GA-770T-D3L
Processor: AMD Phenom(tm) II X2 560 Processor | Socket M2 | 2187/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
D: is FIXED (NTFS) - 149 GiB total, 114.244 GiB free.
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 7/13/2011 7:47:52 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 10 Plugin
AMD Processor Driver
AMD USB Filter Driver
ATI Catalyst Install Manager
Auslogics Disk Defrag
Auslogics Registry Cleaner
AVG 2011
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
ccc-utility
CCC Help English
Champions Online: Free For All
COMODO Internet Security
CPUID CPU-Z 1.58
DAEMON Tools Lite
DAEMON Tools Toolbar
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB981793)
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 26
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 5.0 (x86 en-US)
Notepad++
ON_OFF Charge B10.0427.1
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Spybot - Search & Destroy
StarCraft II
Steam
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2467659)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Vuze
WebFldrs XP
Windows Internet Explorer 8
Windows XP Service Pack 3
WinRAR 4.01 (32-bit)
Wise Disk Cleaner 5.93
Wise Registry Cleaner 5.9.4
.
==== Event Viewer Messages From Past Week ========
.
7/13/2011 7:47:52 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000009A' while processing the file 'NppFTP.xml' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
7/13/2011 6:28:40 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdPPM AppleCharger Avgldx86 Avgmfx86 Avgtdix cmdGuard cmdHlp Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
7/13/2011 6:28:40 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
7/13/2011 6:28:40 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/13/2011 6:28:40 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/13/2011 6:28:40 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
7/13/2011 6:18:11 PM, error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 4 time(s).
7/13/2011 6:18:11 PM, error: Service Control Manager [7031] - The Windows Time service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/13/2011 6:18:11 PM, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/13/2011 6:18:11 PM, error: Service Control Manager [7031] - The Windows Audio service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/13/2011 3:52:52 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
7/13/2011 2:15:19 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/13/2011 12:50:37 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
.
==== End Of File ===========================

Seems ok for now...touch wood. No expanding svchost though that might be premature.

I can't think how this was installed during the few hours that I was installing initial software on this OS. It may be that I didn't update windows fully before installing other programs although I could give you a list of the initial programs I installed.
The only questionable ones I can see are Daemon Tools Lite and Azureus. Damn, I'm disappointed in them.

Thanks for your response. Will report tomorrow.

Sabre2th 0 Newbie Poster · Answer 2 · 2011-07-14T09:54:06+00:00

I noticed on the forum Avanti was mentioned to be in the top of them.

I meant avast. They have some good boasts on their site.

Sabre2th 0 Newbie Poster · Answer 3 · 2011-07-14T11:30:02+00:00

mbam-log-2011-07-14 (05-39-49).txt
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7122

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

14/07/2011 05:39:49
mbam-log-2011-07-14 (05-39-49).txt

Scan type: Full scan (D:\|)
Objects scanned: 195105
Time elapsed: 43 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET log.txt
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=6f2bf78153c94947ba66f25050af0bb4
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-07-14 05:22:28
# local_time=2011-07-14 06:22:28 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1032 16777173 100 95 61814 53909453 0 0
# compatibility_mode=3073 16777213 80 75 498538 2037347 0 0
# compatibility_mode=8192 67108863 100 0 191 191 0 0
# scanned=57360
# found=0
# cleaned=0
# scan_time=1889

---

Still no sign of svchost playing up. Dare I say I'm cured?

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 4 · 2011-07-14T19:58:13+00:00

Still no sign of svchost playing up. Dare I say I'm cured?
It looks pretty good.I would say you are very lucky for several reasons, one probably due to the fact that you had just done the reinstall. Not a lot of the usual extras that can easily be infected and make the removals difficult, if not impossible. Probably also not a lot of personal information on there that then puts really a person's whole financial and personal life at risk. Another reason is the fact that you obviously DO or DID P2P sharing. Such a dangerous activity! As I said, probably the easiest way to get an infection. It never ceases to amaze me that persons are more than willing to risk the computer itself, personal and banking information, telephone numbers, email addresses and yes, their ability to be served by their internet provider all for the sake of illegally getting "for free" a 99 cent song or a $50 game or $100 program. I always ask person's who use P2P to illegally obtain these things if they would even seriously consider walking into a restaurant and eating the rest of a partially eaten sandwich left on a table by an unknown customer rather than purchasing their own, untainted and freshly prepared sandwich. The answer of course given by 99.9% of persons asked always say unless they actually were starving to death they would never even consider this. But yet this is what is being done using P2P. Sharing with person's unknown and doing it willingly with no guarantee that the files don't contain something hidden that will put your entire "online life" at great risk. Where did the "sharer" get the $50 game? Is he actually going to give away a %50 program he purchased with his hard earned money because he is a generous person? Maybe, but not likely.He got it from some other unknown person, who got it from... etc. What the heck, make new friends, pass that half eaten sandwich around the restaurant to everyone there, save them all some money! Chances are you will see everyone there later in the doctor's office. I will get off my "soap box" after all if nobody used P2P then I wouldn't have anything to do here.
I would advise that you do Uninstall AVG and get a good anti-virus program. Uninstall AVG via Add/Remove and then use their uninstall tool to be certain that all remaining files are gone. You can get that tool here;
http://www.avg.com/ww-en/utilities

Then install Avast from here;
http://www.avast.com/free-antivirus-download

I would also strongly recommend that you add one more superb, FREE protection program, SpywareBlaster from Javacool.
"SpywareBlaster doesn't scan for and clean spyware--it prevents it from being installed in the first place. SpywareBlaster prevents the installation of ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs. It can also block spyware/tracking cookies in IE, Mozilla Firefox, Netscape, and many other browsers, and restrict the actions of spyware/ad/tracking sites."

Really a MUST HAVE program, I wouldn't run a computer without it. Download, Install, Update and then enable all protection and close the program. It DOES NOT run in the background but offers superb protection. Just manually check for updates every few weeks and if updates are available download them, enable all protection and close the program.
You can get it from here;
http://download.cnet.com/SpywareBlaster/3000-8022_4-10196637.html

Also check this website for correct services settings.

http://www.blackviper.com/2008/05/19/black-vipers-windows-xp-x86-32-bit-service-pack-3-service-configurations/

Keep MBA-M and update and do at least a Quick Scan once a week. If something is found have it remove whatever found. Reboot the computer and then update again and do a Full Scan just to be certain all is removed.

If you feel all is good you can mark this thread solved.

Sabre2th 0 Newbie Poster · Answer 5 · 2011-07-14T23:08:14+00:00

Excellent! Yup, all seems to be working brilliantly plus I now have a sexy female voice for an AV. Thank you very much!

After going through this and from what you have mentioned I agree that P2P is just not worth it. You end up paying for it in the end. It's not like I'm haphazard - I'm very cautious about what files I open but I guess it is easy to be fooled.

One final question: If I do need to install some application that I don't fully trust, is it safe to use a virtual machine to do a test install? Will malware be able to breach through the VM onto the actual machine?

Once again, thank you greatly for your time and patience.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 6 · 2011-07-14T23:35:07+00:00

One final question: If I do need to install some application that I don't fully trust, is it safe to use a virtual machine to do a test install? Will malware be able to breach through the VM onto the actual machine?
Once again, thank you greatly for your time and patience.

Quite honestly I don't know, though I would think that if there is a security vulnerability in VM software that is known to an attacker and it is unpatched, it certainly can be exploited like a vulnerability in any other type of software used for security. But like I said, I am not that familiar with VM software. But as devious as these malware writers are today one must assume that really nothing is 100% safe today. We just have to make the best attempt to keep our machines as safe as possible so the question I then would have for you is why would you NEED to or even consider running a application that you don't fully trust? To me that would be like hiring a convicted bank robber to be the guard in a bank just because he promises not to rob any more banks. Would you trust him completely? I doubt it, would you even hire him? I doubt it.

Sabre2th 0 Newbie Poster · Answer 7 · 2011-07-15T00:18:27+00:00

Small, single purpose applications that don't have big reputations behind them to back them up. I rarely fully trust any software but there just doesn't seem to be a tool that can run applications in a locked and safe environment bar setting up a dedicated machine that can be easily wiped clean and reinstalled.
I guess an up-to-date scan of the install executable is the best option.

Anyway, you have been a great help. I will have to stick around to keep my personal knowledge up-to-date. I miss the days when virus' were clearly visible as an individual process and could be manually removed :P

Thanks again. Marking as solved.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 8 · 2011-07-15T00:22:56+00:00

"I guess an up-to-date scan of the install executable is the best option."
Absolutely, plus Avast and MBA-M both offer single file scanning for situations such as this. Scanning one executable should take only a few moments. I would use BOTH programs as each looks for different infections. Better be safe than sorry.
You're very welcome. Happy I could provide some help.