Multiple serious infections

gregrocker

gregrocker

New member
Guru
Local time
8:15 PM
Messages
50,634
Trying to help a friend whose system was frozen with files hidden. Avast boot scan found numerous infections which it doesn't seem to fix since I've run it three times. So did Combofix after rKill, which unhid the files and otherwise restored performance. Still we get a popup at every boot from PC Optimizer Pro claiming numerous infections.

Avast boot scan log:
Code: 
10/26/2011 17:41
Scan of all local drives

File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\zalux$zordo.class is infected by Java:Agent-TB [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\zalux.class is infected by Java:Agent-WY [Expl], Deleted

----------------------------------------
08/08/2012 20:38
Scan of all local drives

File C:\ProgramData\IzoeBi1ZSaHfSx.exe is infected by Win32:Dropper-gen [Drp], Deleted
File C:\Users\David\AppData\Local\myoieyec.exe is infected by Win32:MalOb-GF [Cryp], Deleted
File C:\Users\David\AppData\Local\Temp\eEPJSrKBEl07iN.exe.tmp is infected by Win32:Rootkit-gen [Rtk], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\39db9912-13fb5790 is infected by Win32:MalOb-GF [Cryp], Deleted
Number of searched folders: 44301
Number of tested files: 265580
Number of infected files: 4

----------------------------------------
08/09/2012 10:03
Scan of all local drives

File C:\ProgramData\AVAST Software\Avast\log\unp192751541.tmp.mdmp is infected by MBR:Alureon-K [Rtk], Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC000007B {Bad Image}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}
File C:\ProgramData\AVAST Software\Avast\log\ Error 0xC000000D {An invalid parameter was passed to a service or function.}
File C:\ProgramData\AVAST Software\Avast\log\unp49058768.tmp.mdmp is infected by MBR:Alureon-K [Rtk], Deleted
File C:\ProgramData\AVAST Software\Avast\log\unp53929307.tmp.mdmp is infected by MBR:Alureon-K [Rtk], Deleted
File C:\ProgramData\AVAST Software\Avast\log\unp70394681.tmp.mdmp is infected by MBR:Alureon-K [Rtk], Deleted
File C:\ProgramData\AVAST Software\Avast\log\unp80668799.tmp.mdmp is infected by MBR:Alureon-K [Rtk], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\Glocker.class is infected by Java:Agent-ZY [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\zalux$1.class is infected by Java:Agent-ZX [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\Zo666.class is infected by Java:Agent-ZZ [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\Zom.class is infected by Java:Agent-ZW [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\Zom2.class is infected by Java:Agent-ATN [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\armin.class is infected by Java:Agent-AIY [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\erandus.class is infected by Java:Agent-AIZ [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\lindsa.class is infected by Java:Agent-AJA [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\opkat.class is infected by Java:Agent-AIX [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\oplef.class is infected by Java:Agent-AJC [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\rekona.class is infected by Java:Agent-AJB [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\300446c-1c88125b|>Wiki.class is infected by Java:Agent-AOY [Trj], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\4911143c-1642ce2b|>notana.class is infected by Java:Agent-ANE [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\5b0baa7e-7e37a8aa|>main.class is infected by Java:Agent-AXI [Expl], Deleted
File C:\Windows\temp\_avast_\unp231066075.tmp|>nsis.hdr is infected by NSIS:Malware-gen [Trj], Deleted
Number of searched folders: 15948
Number of tested files: 453402
Number of infected files: 20
Even after all scans a popup appears at every boot on desktop for PC Optimizer Pro saying there are numerous Critical errors found. I have uninstalled PCOP in Control Panel but it persists.

So I run rkill followed by Combofix. As Combofix is loading I get a popup from Avast saying rootkit found MBR:Alureo whose file name is Rootkit.narr. It wants me to Delete it and run the Boot scan again.

Combofix report:
Code: 
ComboFix 12-08-09.01 - David 08/09/2012  11:31:56.2.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.2975.2120 [GMT -7:00]
Running from: c:\users\David\Desktop\svchost.exe.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
.
---- Previous Run -------
.
c:\users\David\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PC Optimizer Pro.lnk
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\users\David\Desktop\System Check.lnk
.
.
(((((((((((((((((((((((((   Files Created from 2012-07-09 to 2012-08-09  )))))))))))))))))))))))))))))))
.
.
2012-08-09 05:48 . 2012-07-16 09:41    6891424    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{AFD2CF20-1D69-4B5A-90E5-AEFC5E1D024A}\mpengine.dll
2012-08-09 04:14 . 2012-08-09 04:14    --------    d-----w-    c:\windows\Microsoft Antimalware
2012-08-09 04:14 . 2012-08-09 04:14    --------    d-----w-    c:\windows\Windows Defender Offline
2012-08-09 03:34 . 2012-08-09 05:45    --------    d-----w-    C:\ComboFix
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 16:21 . 2011-04-09 04:54    54232    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2012-07-03 16:21 . 2012-03-24 00:31    44784    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2012-07-03 16:21 . 2011-04-09 04:54    21256    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2012-07-03 16:21 . 2011-04-09 04:54    353688    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2012-07-03 16:21 . 2011-04-09 04:54    721000    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21 . 2011-04-09 04:54    57656    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2012-07-03 16:21 . 2011-04-09 04:53    41224    ----a-w-    c:\windows\avastSS.scr
2012-07-03 16:21 . 2011-04-09 04:53    227648    ----a-w-    c:\windows\system32\aswBoot.exe
2012-05-31 19:25 . 2011-04-09 01:31    237072    ------w-    c:\windows\system32\MpSigStub.exe
2012-03-26 01:47 . 2011-05-31 05:55    97208    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-08-09_06.29.59   )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-09 15:09 . 2012-06-02 22:19    45080              c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.6.7600.256_none_79d6786e99338140\wups2.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    53784              c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.6.7600.256_none_79d6786e99338140\wuauclt.exe
+ 2012-08-09 15:09 . 2012-06-02 22:12    33792              c:\windows\winsxs\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.6.7600.256_none_09f272fb52ab0c3f\wuapp.exe
+ 2012-08-09 15:09 . 2012-06-02 22:19    35864              c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.6.7600.256_none_5fe7b2baacf3da43\wups.dll
+ 2012-08-09 15:09 . 2012-06-02 22:12    88576              c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.6.7600.256_none_5fe7b2baacf3da43\wudriver.dll
+ 2009-07-13 23:47 . 2009-07-14 01:16    47104              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.21955_none_1a1855541c176f4a\NBMapTIP.dll
+ 2009-07-13 23:47 . 2009-07-14 01:16    47104              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17803_none_19c2c79102d3111d\NBMapTIP.dll
+ 2009-07-13 23:47 . 2009-07-14 01:16    47104              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.21179_none_18202fda1efdd6b7\NBMapTIP.dll
+ 2009-07-13 23:47 . 2009-07-14 01:16    47104              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.16988_none_178aeab705e90645\NBMapTIP.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.21955_none_4fff0713f624080b\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.21955_none_4fff0713f624080b\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.21955_none_4fff0713f624080b\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.17803_none_4fa97950dcdfa9de\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.17803_none_4fa97950dcdfa9de\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.17803_none_4fa97950dcdfa9de\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.21179_none_4e06e199f90a6f78\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.21179_none_4e06e199f90a6f78\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.21179_none_4e06e199f90a6f78\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.16988_none_4d719c76dff59f06\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.16988_none_4d719c76dff59f06\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.16988_none_4d719c76dff59f06\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:14    48640              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.21955_none_44cbbc6cc484b691\PDIALOG.exe
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.21955_none_44cbbc6cc484b691\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.21955_none_44cbbc6cc484b691\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.21955_none_44cbbc6cc484b691\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:14    48640              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.17803_none_44762ea9ab405864\PDIALOG.exe
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.17803_none_44762ea9ab405864\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.17803_none_44762ea9ab405864\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.17803_none_44762ea9ab405864\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:14    48640              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.21179_none_42d396f2c76b1dfe\PDIALOG.exe
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.21179_none_42d396f2c76b1dfe\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.21179_none_42d396f2c76b1dfe\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.21179_none_42d396f2c76b1dfe\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:14    48640              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.16988_none_423e51cfae564d8c\PDIALOG.exe
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.16988_none_423e51cfae564d8c\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.16988_none_423e51cfae564d8c\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.16988_none_423e51cfae564d8c\jnwdui.dll
+ 2011-06-02 06:15 . 2010-11-20 10:21    15872              c:\windows\winsxs\x86_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.21982_none_31d187047f696dc4\rdpvideominiport.sys
+ 2011-06-02 06:15 . 2010-11-20 10:21    15872              c:\windows\winsxs\x86_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.17830_none_317bf94166250f97\rdpvideominiport.sys
+ 2012-01-16 22:33 . 2011-11-17 05:34    15872              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_a828bb43bb2beb28\sspisrv.dll
+ 2012-01-16 22:33 . 2011-11-17 05:34    22016              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_a828bb43bb2beb28\secur32.dll
+ 2012-01-16 22:33 . 2011-11-17 05:29    22528              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_a828bb43bb2beb28\lsass.exe
+ 2012-01-16 22:33 . 2011-11-17 05:39    15360              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_a656d407bdf6641e\sspisrv.dll
+ 2012-01-16 22:33 . 2011-11-17 05:39    99840              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_a656d407bdf6641e\sspicli.dll
+ 2012-01-16 22:33 . 2011-11-17 05:39    22016              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_a656d407bdf6641e\secur32.dll
+ 2012-01-16 22:33 . 2011-11-17 05:36    22528              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_a656d407bdf6641e\lsass.exe
+ 2012-08-09 15:09 . 2012-06-02 22:19    45080              c:\windows\System32\wups2.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    35864              c:\windows\System32\wups.dll
+ 2012-08-09 15:09 . 2012-06-02 22:12    88576              c:\windows\System32\wudriver.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    53784              c:\windows\System32\wuauclt.exe
- 2011-06-02 06:14 . 2010-11-20 12:17    33792              c:\windows\System32\wuapp.exe
+ 2012-08-09 15:09 . 2012-06-02 22:12    33792              c:\windows\System32\wuapp.exe
+ 2011-04-09 03:55 . 2012-08-09 18:01    34332              c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2012-08-09 18:01    41164              c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2011-05-31 05:38 . 2012-08-09 06:09    32768              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-31 05:38 . 2012-08-09 18:15    32768              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-31 05:38 . 2012-08-09 18:15    32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-05-31 05:38 . 2012-08-09 06:09    32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-31 05:38 . 2012-08-09 18:15    16384              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-31 05:38 . 2012-08-09 06:09    16384              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-06-02 22:19 . 2012-06-02 22:19    73088              c:\windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe
+ 2009-07-14 04:34 . 2012-08-09 17:02    87696              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7601.22012_none_8afce0390e381ffd\msxml6r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7601.17857_none_8a4d2d0df5363b68\msxml6r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7600.21227_none_8910b4b911154eb5\msxml6r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7600.17036_none_887b45d1f800b45e\msxml6r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7601.22012_none_8afd24910e37d31a\msxml3r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7600.21227_none_8910f911111501d2\msxml3r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7600.17036_none_887b8a29f800677b\msxml3r.dll
+ 2011-04-09 01:14 . 2012-08-09 18:01    8152              c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3806059188-2109455386-291866110-1001_UserData.bin
+ 2012-08-09 15:13 . 2012-08-09 15:13    9560              c:\windows\System32\NetworkList\Icons\{782278D8-8ED0-4BF4-92AF-C144556D75C2}_48.bin
+ 2012-08-09 15:13 . 2012-08-09 15:13    4280              c:\windows\System32\NetworkList\Icons\{782278D8-8ED0-4BF4-92AF-C144556D75C2}_32.bin
+ 2012-08-09 15:13 . 2012-08-09 15:13    2456              c:\windows\System32\NetworkList\Icons\{782278D8-8ED0-4BF4-92AF-C144556D75C2}_24.bin
- 2012-08-09 05:37 . 2012-08-09 05:37    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-09 18:00 . 2012-08-09 18:00    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-09 18:00 . 2012-08-09 18:00    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-09 05:37 . 2012-08-09 05:37    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-09 15:09 . 2012-06-02 22:19    171904              c:\windows\winsxs\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.6.7600.256_none_09f272fb52ab0c3f\wuwebv.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    577048              c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.6.7600.256_none_5fe7b2baacf3da43\wuapi.dll
+ 2011-06-02 06:15 . 2010-11-20 12:29    187776              c:\windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17802_none_b52e5147c4a202d7\FWPKCLNT.SYS
+ 2009-07-13 23:12 . 2009-07-14 01:20    187472              c:\windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16986_none_b2f57423c7b8dea8\FWPKCLNT.SYS
+ 2009-07-13 23:47 . 2009-07-14 01:15    484352              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.21955_none_1a1855541c176f4a\MSPVWCTL.DLL
+ 2009-07-13 23:47 . 2009-07-14 01:15    672768              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.21955_none_1a1855541c176f4a\InkSeg.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    484352              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17803_none_19c2c79102d3111d\MSPVWCTL.DLL
+ 2009-07-13 23:47 . 2009-07-14 01:15    672768              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17803_none_19c2c79102d3111d\InkSeg.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    484352              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.21179_none_18202fda1efdd6b7\MSPVWCTL.DLL
+ 2009-07-13 23:47 . 2009-07-14 01:15    672768              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.21179_none_18202fda1efdd6b7\InkSeg.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    484352              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.16988_none_178aeab705e90645\MSPVWCTL.DLL
+ 2009-07-13 23:47 . 2009-07-14 01:15    672768              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.16988_none_178aeab705e90645\InkSeg.dll
+ 2009-07-13 23:46 . 2009-07-14 01:16    126464              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.21955_none_ccf754dbae8e9b38\rtscom.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    216064              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.21955_none_ccf754dbae8e9b38\InkEd.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    274944              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.21955_none_ccf754dbae8e9b38\InkDiv.dll
+ 2009-07-13 23:46 . 2009-07-14 01:16    126464              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.17803_none_cca1c718954a3d0b\rtscom.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    216064              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.17803_none_cca1c718954a3d0b\InkEd.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    274944              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.17803_none_cca1c718954a3d0b\InkDiv.dll
+ 2009-07-13 23:46 . 2009-07-14 01:16    126464              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.21179_none_caff2f61b17502a5\rtscom.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    216064              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.21179_none_caff2f61b17502a5\InkEd.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    274944              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.21179_none_caff2f61b17502a5\InkDiv.dll
+ 2009-07-13 23:46 . 2009-07-14 01:16    126464              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16988_none_ca69ea3e98603233\rtscom.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    216064              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16988_none_ca69ea3e98603233\InkEd.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    274944              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16988_none_ca69ea3e98603233\InkDiv.dll
+ 2011-06-02 06:16 . 2010-11-20 10:24    134656              c:\windows\winsxs\x86_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.21982_none_31d187047f696dc4\rdpudd.dll
+ 2011-06-02 06:16 . 2010-11-20 10:24    134656              c:\windows\winsxs\x86_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.17830_none_317bf94166250f97\rdpudd.dll
+ 2012-01-16 22:33 . 2011-11-17 05:34    100352              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_a828bb43bb2beb28\sspicli.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    171904              c:\windows\System32\wuwebv.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    577048              c:\windows\System32\wuapi.dll
+ 2009-07-14 02:05 . 2012-08-09 18:06    624178              c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2012-08-09 05:41    624178              c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2012-08-09 18:06    106522              c:\windows\System32\perfc009.dat
- 2009-07-14 02:05 . 2012-08-09 05:41    106522              c:\windows\System32\perfc009.dat
+ 2009-07-14 04:47 . 2012-08-09 17:59    396356              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:47 . 2012-08-09 05:36    396356              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-06-02 06:15 . 2010-11-05 01:53    1736536              c:\windows\winsxs\x86_presentationcore_31bf3856ad364e35_6.1.7601.17755_none_ae0e4090ee55e5f0\wpfgfx_v0300.dll
+ 2012-08-09 15:09 . 2012-06-02 22:12    2422272              c:\windows\winsxs\x86_microsoft-windows-windowsupdateclient-ui_31bf3856ad364e35_7.6.7600.256_none_f7839c193937c3f1\wucltux.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    1933848              c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.6.7600.256_none_79d6786e99338140\wuaueng.dll
+ 2011-06-02 06:15 . 2010-11-20 12:17    1785344              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_7.1.7601.17803_none_0b3343d68db9b9ec\Journal.exe
+ 2011-06-02 06:15 . 2010-11-20 12:17    1785344              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17803_none_19c2c79102d3111d\Journal.exe
+ 2009-07-13 23:49 . 2009-07-14 01:14    1785344              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.16988_none_178aeab705e90645\Journal.exe
+ 2009-07-14 00:02 . 2009-07-14 01:15    1415168              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.17803_none_cca1c718954a3d0b\InkObj.dll
+ 2009-07-14 00:02 . 2009-07-14 01:15    1415168              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16988_none_ca69ea3e98603233\InkObj.dll
+ 2012-01-16 22:33 . 2011-11-17 05:32    1038848              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_a828bb43bb2beb28\lsasrv.dll
+ 2012-01-16 22:33 . 2011-11-17 05:38    1037312              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_a656d407bdf6641e\lsasrv.dll
+ 2012-08-09 15:09 . 2012-06-02 22:12    2422272              c:\windows\System32\wucltux.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    1933848              c:\windows\System32\wuaueng.dll
+ 2009-07-14 02:03 . 2012-08-09 15:29    7340032              c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-07-14 02:03 . 2012-03-14 14:27    7340032              c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-07-14 04:34 . 2012-03-14 14:31    5980439              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:34 . 2012-08-09 16:48    5980439              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2011-04-09 04:38 . 2012-08-09 17:59    2253476              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3806059188-2109455386-291866110-1001-12288.dat
+ 2011-04-09 03:51 . 2012-08-09 17:59    38633760              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3806059188-2109455386-291866110-1001-8192.dat
+ 2011-05-31 05:55 . 2012-08-09 15:18    127004364              c:\windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21    121528    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 09:38    34672    ----a-w-    c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2011-02-12 02:26    171032    ----a-w-    c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2011-02-12 02:26    137752    ----a-w-    c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2011-02-12 02:26    172568    ----a-w-    c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 21:49    249064    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2010-05-28 05:31    1721640    ----a-w-    c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2010-03-23 21:53    495708    ----a-w-    c:\program files\IDT\WDM\sttray.exe
.
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [x]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9691412ff1876250\aestsrv.exe [x]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R4 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
R4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-26 01:47]
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-26 01:47]
.
2012-08-09 c:\windows\Tasks\PC Optimizer Pro startups.job
- c:\program files\PC Optimizer Pro\StartApps.exe [2011-06-10 07:41]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\oydg7dbs.default\
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2776)
c:\windows\system32\igd10umd32.dll
.
Completion time: 2012-08-09  12:17:23
ComboFix-quarantined-files.txt  2012-08-09 19:17
.
Pre-Run: 99,225,088,000 bytes free
Post-Run: 99,066,867,712 bytes free
.
- - End Of File - - 05F2A8773531733AF926981080DED708
The weird thing is that performance is good, fast and snappy so I'd like to save this install for the owner if possible.
 

Attachments

My Computer

Computer type
PC/Desktop
OS
Microsoft Windows 10 Professional / Windows 7 Professional
CPU
Intel i5-3570
Motherboard
Lenovo Mahobay
Memory
16GB DDR3
Graphics Card(s)
AMD Radeon HD 7850 2GB
Sound Card
(1) Realtek HD Audio (2) AMD HD Audio
Monitor(s) Displays
LG LS192WS
Screen Resolution
1440 x 900 @ 32bit color
Hard Drives
(1) SUV300S37A/120G (2) ST3500413AS SATA Disk Device AHCI mode enabled.
PSU
Corsair HX620
Case
Thermaltake V4 Black Edition
Cooling
Cooler Master Hyper 212 + Artic Silver 5 on CPU/GPU
Keyboard
Dell SK-8115
Mouse
Razer Copperhead with MAPED mat (awesome!)
Internet Speed
100 Mbps up/down
Browser
Chrome
OK Thanks, running that now.

I rooted PC Optimizer Pro out by searching registry for PCOpt and deleting a dozen listings, then found a Program File which I deleted, rooting out a stubborn tray item by ending it's Process.
 
been there...done that brother, good luck
 

My Computer

Computer type
PC/Desktop
OS
Microsoft Windows 10 Professional / Windows 7 Professional
CPU
Intel i5-3570
Motherboard
Lenovo Mahobay
Memory
16GB DDR3
Graphics Card(s)
AMD Radeon HD 7850 2GB
Sound Card
(1) Realtek HD Audio (2) AMD HD Audio
Monitor(s) Displays
LG LS192WS
Screen Resolution
1440 x 900 @ 32bit color
Hard Drives
(1) SUV300S37A/120G (2) ST3500413AS SATA Disk Device AHCI mode enabled.
PSU
Corsair HX620
Case
Thermaltake V4 Black Edition
Cooling
Cooler Master Hyper 212 + Artic Silver 5 on CPU/GPU
Keyboard
Dell SK-8115
Mouse
Razer Copperhead with MAPED mat (awesome!)
Internet Speed
100 Mbps up/down
Browser
Chrome
TDSS killer won't run, either from desktop or flash stick. I don't see any process for it opening in Task Manager either.

I tried to rename it svchost.exe which will sometimes sneak ComboFix past an infection, but it fails the Remote Procedural Call.
 
No why would there be such a partition?

Where do you see that there is Backdoor.tidserv on this PC? I must be missing it.
 
why do you ask questions before trying running the tools? :D just joking

Let me ask you question.Can you guess which infection blocked you from running tdsskiller?

Do you say that you need to have backdoor.tidserv in your logs to run this tool? What did Avast show you? MBR alureon?
What is MBR alureon? Why did Avast do that?

Research and you will get the answer
 

My Computer

OS
32 bit
gregrocker said:
No why would there be such a partition?
Click to expand...

Alureon usually puts a hidden boot partition on the the infected system. Sometimes it shows up in disk management, most times it doesn't.

If you d/l G Parted, boot from that & examine the drive, you'll probably find a hidden partition between 1 - 10 MB (although the usual size is 1 - 3 MB). Delete this partition & then run TDSKiller again, make sure to click the "change parameters" option & make sure all the boxes are checked. This should clean out any leftover files.

A follow up with Windows Defender offline would be a good idea to see if it introduced any other viruses.
 
Last edited:

My Computer

Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell Hell oh Well
OS
Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
CPU
Intel Core 2 Duo 2.93GHz
Memory
Not much with my ADHD
Graphics Card(s)
ATI Radeon HD 4350
Monitor(s) Displays
24" HDTV/Monitor
Screen Resolution
Blurry after a Scotch or 2
Hard Drives
1 HDD 250 GB, 1 HDD 1 TB, 3 - 1 TB Externals
Case
Don't get on my case...man :D
Cooling
I have an Air Conditioner & Diet Pepsi
Keyboard
Saitek Cyborg
Mouse
10 yr old MS optical mouse that still works
Internet Speed
Never fast enough
Antivirus
Various
Browser
Various
greg, its time to remove that disk and use an adapter so you can clean it with another computer, or perform a clean install :(
 

My Computer

Computer type
PC/Desktop
OS
Microsoft Windows 10 Professional / Windows 7 Professional
CPU
Intel i5-3570
Motherboard
Lenovo Mahobay
Memory
16GB DDR3
Graphics Card(s)
AMD Radeon HD 7850 2GB
Sound Card
(1) Realtek HD Audio (2) AMD HD Audio
Monitor(s) Displays
LG LS192WS
Screen Resolution
1440 x 900 @ 32bit color
Hard Drives
(1) SUV300S37A/120G (2) ST3500413AS SATA Disk Device AHCI mode enabled.
PSU
Corsair HX620
Case
Thermaltake V4 Black Edition
Cooling
Cooler Master Hyper 212 + Artic Silver 5 on CPU/GPU
Keyboard
Dell SK-8115
Mouse
Razer Copperhead with MAPED mat (awesome!)
Internet Speed
100 Mbps up/down
Browser
Chrome
Thanks Borg for explaining. That's enough to know it's time to cut to the wipe and reinstall.

I posted my thread because I wanted to learn more about cleaning up the hairiest infections, knowing full well I would probably wipe the HD to Clean Reinstall - Factory OEM Windows 7 which I have now done. Performance is fine so far.

It wasn't necessary to slave the HD since I used the installer Command Line to wipe first with Diskpart Clean Command - however like OldMX I wasn't willing to wait any longer once I read more about the infection. :shock:
http://www.sevenforums.com/tutorials/52129-disk-clean-clean-all-diskpart-command.html
 
Greg, even I won't try to clean up a Rootkit infested machine! Most especially an MBR related Rootkit/Bootkit.
As you know, my experience is in 'security'. I've been at it for over 10 yrs now and this stuff is getting harder and harder to really "fix or cure" without nuking and clean install.
 

My Computer

Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio
Thanks, Jacee. As a Clean Reinstall obsessive I have always cut to the reinstall on heavily infected machines.

However you helped me clean up a serious fake AV infection with hidden files on a roommate's machine which I did via TeamViewer while traveling: http://www.sevenforums.com/system-security/221572-fake-av-infection-files-hidden.html

I promised roommate I'd reinstall as soon as I got back, however he said performance was good enough that he didn't even want a reinstall. Since then I've been warily circling the machine, ready to pounce. :huh:

Is Alureon one of the MBR infections that can leech into the BIOS? I never saw any sign it had created a partition, but do you think Diskpart Clean Command - which is normally sufficient to overwrite conflicting boot sector code - is sufficient? I could have run Clean All but had an exchange with you or Corrine some years ago where it seemed to be deemed unnecessary to wipe infection.
 
I would have suggested a clean install also, but you mentioned you wanted to save the install, so I thought you might take a try at removing it.

I've never read anything about Alureon getting into the BIOS, but that doesn't mean it hasn't evolved. The latest Sirefef variants trick the AV by presenting a valid, clean MS file & then after that runs, switches over to the infected file. It wouldn't surprise me if other viruses started using this pattern as it seems most effective at dodging AV's scans.

I noticed that in almost all the cases of Alureon, the hidden boot sector doesn't show up on the Disk Management console, but running G Parted from a boot disk usually reveals it.
 

My Computer

Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell Hell oh Well
OS
Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
CPU
Intel Core 2 Duo 2.93GHz
Memory
Not much with my ADHD
Graphics Card(s)
ATI Radeon HD 4350
Monitor(s) Displays
24" HDTV/Monitor
Screen Resolution
Blurry after a Scotch or 2
Hard Drives
1 HDD 250 GB, 1 HDD 1 TB, 3 - 1 TB Externals
Case
Don't get on my case...man :D
Cooling
I have an Air Conditioner & Diet Pepsi
Keyboard
Saitek Cyborg
Mouse
10 yr old MS optical mouse that still works
Internet Speed
Never fast enough
Antivirus
Various
Browser
Various
Yes, basically I have this friend's older HP dv5-1235dx laptop for 12 days while housesitting for him on the beach here. He's not been able to even use it for months and I didn't know what to expect.

I figured I'd spend a few days practicing virus cleanup due to the apparent success of the one prior cleanup I posted above. But your description of the virus made me wary it could cause possible damage to the machine. I've yet to personally come across an MBR or BIOS infection but understand some can damage hardware.

So at that point I reinstalled finding all drivers were in the installer, and after just an hour's updates and setup have a perfectly fast laptop I'll use for the rest of my stay.

Thanks again, all!
 
At least you have access to disks. One clean up I had to do, the nice lady had NO disks of any kind ("Were they important?" she asked), her kids had scratched the Win # sticker off the machine (So much for d/l ing Windows), and when the machine booted, it was a black screen with a flashing cursor. It also had Alureon (and about 27 other viruses) that I had no choice but to work out . I was able to use the factory restore (And a few AV/repair boot disks), that took up a day & 1/2 of my time....but hey, I got it working again....somehow:sarc:
 

My Computer

Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell Hell oh Well
OS
Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
CPU
Intel Core 2 Duo 2.93GHz
Memory
Not much with my ADHD
Graphics Card(s)
ATI Radeon HD 4350
Monitor(s) Displays
24" HDTV/Monitor
Screen Resolution
Blurry after a Scotch or 2
Hard Drives
1 HDD 250 GB, 1 HDD 1 TB, 3 - 1 TB Externals
Case
Don't get on my case...man :D
Cooling
I have an Air Conditioner & Diet Pepsi
Keyboard
Saitek Cyborg
Mouse
10 yr old MS optical mouse that still works
Internet Speed
Never fast enough
Antivirus
Various
Browser
Various
I'd heard the DV5 runs hot which is why it's elevated and sure enough its keyboard feels hot. I installed Core Temp to the tray and it is staying around 30C so I'm not sweating it even tho hot keyboards are unpleasant in general.
 
Last edited:
You must log in or register to reply here.
Back
Top