Avast! missing an infected file, even tho jotti says avast recognises it... ???

[AussieChippie]

I have been using avast! myself for a long time, and a friend of mine's computer (Win XP) was recently showing signs of infection. Her kids have been using the computer in administrator mode (despite my repeated warnings to her) so I wasn't really surprised. I removed Avira/AntiVir and put on avast!. It found a few minor infections, but there's still something strange going on.

Among other things I found that SpyBot and Adaware had both been partially uninstalled. Upon reinstalling them I found that, even after a full clean by both programs and a clean scan from avast! I am still getting MyWebSearch entries appearing in the registry.

The other thing that really concerned me was that when I tried to do a chkdsk c: /f to see if the reason files were not being removed was due to a filesystem corruption, I found that chkdsk would not run at startup. I looked at this issue and found that the volume type was RAW, not NTFS. The computer still starts up ok though - but the C: volume isn't visible in the DiskManagement snap-in in the management console. Various references described this as a possible symptom of a rootkit infection.

Soo..  I went looking deeper with the RootkitDetective that McAfee currently has in beta, and it found a file with a very strange name, in a very strange place. In fact, the full entry in it's log file is this:

Object-Type: File/Folder
Object-Name: ytasfwvbcxvvti.sys
Pid: n/a
Object-Path: C:\WINDOWS\system32\drivers\ytasfwvbcxvvti.sys
Status: Hidden

... and there's a similarly named dll in the system32 directory itself.

When I put this through jotti, most scanners detect it as a rootkit

avast! calls it Win32:Alureon-CM
AVG calls it Rootkit-Pakes.L
AntiVir calls it TR/Crypt.ZPACK.Gen

However... as I said, avast (and previously, AntiVir) gives a clean scan.

Even with 'show hidden files' turned on, I can't see this file with Explorer. I can open it with notepad by copying and pasting the path name above, and I've been able to send it to online scanners.

Why is avast! not seeing this file when it does a scan? I have just completed a specific scan of the system32 directory (it scanned 6497 files) and nothing was reported - neither the .sys file nor the .dll file.

What do I do now? Is there some option I can change in avast! or is there some characteristic of the filesystem that I need to change?

I'm reasonably IT literate - former IT systems manager, computer science graduate, part time database developer, former UNIX tinkerer, and I know my way around filesystem structures, so I should be able to dig out any dirty secrets if I've got the tools. Just tell me what to look for, how to get it, and I'd love to help improve avast!'s performance.

HJT log coming.

Cheers,

Grant.

[Pondus]

try these tools used by everyone in this forum

Malwarebytes Antimalware http://malwarebytes.org/

Super Antispyware http://superantispyware.com/

[AussieChippie]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:07 AM, on 6/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\TPG Usage Meter\TPG Usage Meter.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Documents and Settings\Default\My Documents\Downloads\HijackThis.exe
C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {b800be35-8e12-422f-9967-8176bbb4e828} - C:\Program Files\MouseHunt Toolbar\Helper.dll
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FCTBPos00Pos - {91B53B55-36CE-4ABE-A248-F97D6D9F0CFF} - C:\Program Files\MouseHunt Toolbar\Toolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MouseHunt Toolbar - {89F74AE6-CC04-4740-9A19-EEE1DCD2861B} - C:\Program Files\MouseHunt Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [TPG Usage Meter] C:\Program Files\TPG Usage Meter\TPG Usage Meter.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

[AussieChippie]

O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/binary/MJSS.cab69309.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/280542d1532fead2f103/netzip/RdxIE601.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com.au/chat/RSVPChat.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9ac73f45ccaf5) (gupdate1c9ac73f45ccaf5) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe
O24 - Desktop Component 0: (no name) - http://www.beautifulwallpapers.com/wallpapers/places/roach4t.jpg
O24 - Desktop Component 1: (no name) - http://www.beautifulwallpapers.com/wallpapers/photo/ny23t.gif
O24 - Desktop Component 2: (no name) - http://www.beautifulwallpapers.com/wallpapers/art/xbonnell2t.jpg
O24 - Desktop Component 3: (no name) - http://ctones.telstra.com/web/theme/image/bodybg.gif
O24 - Desktop Component 4: (no name) - http://www.google.com.au/logos/halloween07.gif
O24 - Desktop Component 5: (no name) - http://s3.amazonaws.com/kickflip/familyguyquotes/images/1476697443470595ffb66d80_45360675_thumb.jpg

--
End of file - 16036 bytes

[AussieChippie]

try these tools used by everyone in this forum

Malwarebytes Antimalware http://malwarebytes.org/

Super Antispyware http://superantispyware.com/

Will do, Pondus... Thanks.

I'm still wondering why avast! isnt seeing this file, though...

And, flicking through that HJT log myself, I'm amazed at the crap on this computer lol!

[micky77]

Also submit a log from rootrepeal.

http://rootrepeal.googlepages.com/

See this post for instructions http://forum.avast.com/index.php?topic=47639.msg402995#msg402995

[AussieChippie]

OK. rootrepeal log. Pretty much what I expected.

I got an error on launching rootrepeal - "Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog".

That makes sense, given that (as I previously described) Disk Manager in the MMC doesn't even show the C: volume, and chkdsk (or more accurately autochk) reports that it can't check a RAW volume.

The strange dll and sys files that the McAffee tool reported in the system32 folder are all over this log like a rash. The big flashing pink neon "MBR rootkit detected" is a bit of a giveaway too, clearly. As I previously stated, the files are not visible in Explorer even with 'show system and hidden files' turned on, and avast doesn't see them - jotti tells me that avast would recognise it as a malware file.

After repeated scans in Diagnostic Mode (from msconfig) I get (or rather, got!) clean scans with avast, MBAM and SuperAS.

The obvious easy steps now, I think, are to get a recovery console up, use FIXMBR and then restart in diagnostic mode again, and try to manually delete or at least overwrite those two files. Re-scan with everything (including rootrepeal and the Rootkit_Detective) and see if it comes up clean.

The thing I REALLY want to know, and I would have thought avast's developers would like to know, is why avast isnt seeing the file when Rootkit_Detective is. Even rootrepeal doesn't give the path to the file. It makes me wonder what else is hiding.

Rootrepeal log in my next post.

[AussieChippie]

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2009/09/07 08:18
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB8903000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79CF000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: PCI_PNP4540
Image Path: \Driver\PCI_PNP4540
Address: 0x00000000   Size: 0   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB6A3D000   Size: 49152   File Visible: No   Signed: -
Status: -

Name: sple.sys
Image Path: sple.sys
Address: 0xF74D6000   Size: 1048576   File Visible: No   Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000   Size: 0   File Visible: No   Signed: -
Status: -

Name: svvoy.sys
Image Path: C:\WINDOWS\system32\drivers\svvoy.sys
Address: 0xF76D7000   Size: 61440   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 42
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 46
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 50
Status: Sector mismatch

Path: Volume C:\, Sector 51
Status: Sector mismatch

Path: Volume C:\, Sector 52
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 55
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 58
Status: Sector mismatch

Path: Volume C:\, Sector 59
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Stealth Objects
-------------------
Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: services.exe (PID: 732)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: lsass.exe (PID: 744)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwqbxiehnc.dll]
Process: svchost.exe (PID: 908)   Address: 0x006b0000   Size: 53248

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: svchost.exe (PID: 908)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: svchost.exe (PID: 1008)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: svchost.exe (PID: 1148)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: svchost.exe (PID: 1236)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: svchost.exe (PID: 1296)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: svchost.exe (PID: 1448)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: aswUpdSv.exe (PID: 1504)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: AAWService.exe (PID: 1520)   Address: 0x00d10000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: ashServ.exe (PID: 1576)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: spoolsv.exe (PID: 1864)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: LVPrcSrv.exe (PID: 1912)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: svchost.exe (PID: 508)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: mDNSResponder.exe (PID: 536)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: jqs.exe (PID: 1224)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: LVComSer.exe (PID: 1360)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: nvsvc32.exe (PID: 1988)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: HPZipm12.exe (PID: 192)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: RichVideo.exe (PID: 236)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: svchost.exe (PID: 392)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: TomTomHOMEService.exe (PID: 428)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: winvnc.exe (PID: 576)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: ashMaiSv.exe (PID: 2120)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: unsecapp.exe (PID: 2136)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: ashWebSv.exe (PID: 2168)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: wmiprvse.exe (PID: 2204)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: alg.exe (PID: 2460)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: WgaTray.exe (PID: 2400)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: Explorer.EXE (PID: 2540)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: LVComSer.exe (PID: 420)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: TPG Usage Meter.exe (PID: 3464)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: realsched.exe (PID: 4060)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: jusched.exe (PID: 712)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: SOUNDMAN.EXE (PID: 3580)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: RUNDLL32.EXE (PID: 960)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: Quickcam.exe (PID: 2176)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: Communications_Helper.exe (PID: 812)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: iTunesHelper.exe (PID: 2368)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: HPWuSchd2.exe (PID: 2448)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: hpcmpmgr.exe (PID: 3608)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: ashDisp.exe (PID: 2348)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: svchost.exe (PID: 1976)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: apdproxy.exe (PID: 2688)   Address: 0x00340000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: hpqtra08.exe (PID: 872)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: LogitechDesktopMessenger.exe (PID: 2912)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: iPodService.exe (PID: 1620)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: hptskmgr.exe (PID: 3264)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: COCIManager.exe (PID: 3732)   Address: 0x10000000   Size: 32768

Object: Hidden Module [Name: ytasfwtpqxteix.dll]
Process: RootRepeal.exe (PID: 3236)   Address: 0x10000000   Size: 32768

[AussieChippie]

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System   Address: 0x8a36b1f8   Size: 121

Object: Hidden Code [Driver: ad94g3a0Ѕఐ浍瑓⣂ᕎ棂㮃磂䞟裂⪲飂䌁ꣂᆳ, IRP_MJ_CREATE]
Process: System   Address: 0x8a0c8500   Size: 121

Object: Hidden Code [Driver: ad94g3a0Ѕఐ浍瑓⣂ᕎ棂㮃磂䞟裂⪲飂䌁ꣂᆳ, IRP_MJ_CLOSE]
Process: System   Address: 0x8a0c8500   Size: 121

Object: Hidden Code [Driver: ad94g3a0Ѕఐ浍瑓⣂ᕎ棂㮃磂䞟裂⪲飂䌁ꣂᆳ, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8a0c8500   Size: 121

Object: Hidden Code [Driver: ad94g3a0Ѕఐ浍瑓⣂ᕎ棂㮃磂䞟裂⪲飂䌁ꣂᆳ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8a0c8500   Size: 121

Object: Hidden Code [Driver: ad94g3a0Ѕఐ浍瑓⣂ᕎ棂㮃磂䞟裂⪲飂䌁ꣂᆳ, IRP_MJ_POWER]
Process: System   Address: 0x8a0c8500   Size: 121

Object: Hidden Code [Driver: ad94g3a0Ѕఐ浍瑓⣂ᕎ棂㮃磂䞟裂⪲飂䌁ꣂᆳ, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x8a0c8500   Size: 121

Object: Hidden Code [Driver: ad94g3a0Ѕఐ浍瑓⣂ᕎ棂㮃磂䞟裂⪲飂䌁ꣂᆳ, IRP_MJ_PNP]
Process: System   Address: 0x8a0c8500   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System   Address: 0x8a1db1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System   Address: 0x8a1db1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System   Address: 0x8a1db1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System   Address: 0x8a1db1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x8a1db1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8a1db1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8a1db1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x8a1db1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System   Address: 0x8a1db1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x8a1db1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System   Address: 0x8a1db1f8   Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System   Address: 0x8a1a21f8   Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System   Address: 0x8a1a21f8   Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8a1a21f8   Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8a1a21f8   Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System   Address: 0x8a1a21f8   Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x8a1a21f8   Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System   Address: 0x8a1a21f8   Size: 121

[AussieChippie]

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System   Address: 0x8a3db1f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System   Address: 0x8a3db1f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System   Address: 0x8a3db1f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x8a3db1f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8a3db1f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8a3db1f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x8a3db1f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System   Address: 0x8a3db1f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System   Address: 0x8a3db1f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x8a3db1f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System   Address: 0x8a3db1f8   Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System   Address: 0x89da01f8   Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System   Address: 0x89da01f8   Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x89da01f8   Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x89da01f8   Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System   Address: 0x89da01f8   Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System   Address: 0x89da01f8   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System   Address: 0x8a1a6500   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System   Address: 0x8a1a6500   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8a1a6500   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8a1a6500   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System   Address: 0x8a1a6500   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x8a1a6500   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System   Address: 0x8a1a6500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System   Address: 0x8a0e5500   Size: 121

Object: Hidden Code [Driver: Null, IRP_MJ_CREATE]
Process: System   Address: 0x8a1d2500   Size: 121

Object: Hidden Code [Driver: Null, IRP_MJ_CLOSE]
Process: System   Address: 0x8a1d2500   Size: 121

Object: Hidden Code [Driver: Null, IRP_MJ_READ]
Process: System   Address: 0x8a1d2500   Size: 121

Object: Hidden Code [Driver: Null, IRP_MJ_QUERY_INFORMATION]
Process: System   Address: 0x8a1d2500   Size: 121

Object: Hidden Code [Driver: Null, IRP_MJ_SET_INFORMATION]
Process: System   Address: 0x8a1d2500   Size: 121

Object: Hidden Code [Driver: Null, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System   Address: 0x8a1d2500   Size: 121

Object: Hidden Code [Driver: Null, IRP_MJ_DIRECTORY_CONTROL]
Process: System   Address: 0x8a1d2500   Size: 121

Object: Hidden Code [Driver: Null, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System   Address: 0x8a1d2500   Size: 121

Object: Hidden Code [Driver: Null, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8a1d2500   Size: 121

Object: Hidden Code [Driver: Null, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x8a1d2500   Size: 121

Object: Hidden Code [Driver: Null, IRP_MJ_LOCK_CONTROL]
Process: System   Address: 0x8a1d2500   Size: 121

Object: Hidden Code [Driver: Null, IRP_MJ_CLEANUP]
Process: System   Address: 0x8a1d2500   Size: 121

Object: Hidden Code [Driver: Null, IRP_MJ_PNP]
Process: System   Address: 0x8a1d2500   Size: 121

==EOF==

[Pondus]

It makes me wonder what else is hiding.

 
You can also try these

Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en
Dr.Web CureIt               http://www.freedrweb.com/

[Vlk]

Yep, that's one of the latest variants of Alureon. Nasty stuff.
We're aware of the limitations of the current MBR detector (which cannot detect this particular rootkit). We have a working version of a new detector that is able to deal with it but it hasn't been released yet (requires a program update). Sorry for the inconvenience so far.

[.: L' arc :.]

(1) Firewall
       You seem to use XP's firewall or no firewall at all. It would be better if you will use a firewall that supports Outbound Protection since XP's firewall does not have this feature. Examples of it are PCTools, Agnitum Outpost and Online Armor

(2) Fix these
       You may fix these entries by ticking a check beside the entry and selecting "Fix selected entries'

- R3 - URLSearchHook: (no name) - - (no file)
- O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
- O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
- O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
- O8 - Extra context menu item: &Search - ?p=ZK
- O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm *
- O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
- O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)]
- O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - hXXp://www.rsvp.com.au/chat/RSVPChat.cab **
-

* If possible, uninstall the program via Add/Remove programs
** You just mentioned that the PC is meant for kids so, I think, this adult stuff must be removed.

(3) Potentially unwanted
       This are mostly toolbars and commonly classified as an adware. To remove or to keep these entries are up to you.

- R3 - URLSearchHook: FCToolbarURLSearchHook Class - {b800be35-8e12-422f-9967-8176bbb4e828} - C:\Program Files\MouseHunt Toolbar\Helper.dll
- O2 - BHO: FCTBPos00Pos - {91B53B55-36CE-4ABE-A248-F97D6D9F0CFF} - C:\Program Files\MouseHunt Toolbar\Toolbar.dll
- O3 - Toolbar: MouseHunt Toolbar - {89F74AE6-CC04-4740-9A19-EEE1DCD2861B} - C:\Program Files\MouseHunt Toolbar\Toolbar.dll

(4) Odd entries ***
       we will need someone else's help on this one.

- O24 - Desktop Component 0: (no name) - hXXp://www.beautifulwallpapers.com/wallpapers/places/roach4t.jpg
- O24 - Desktop Component 1: (no name) - hXXp://www.beautifulwallpapers.com/wallpapers/photo/ny23t.gif
- O24 - Desktop Component 2: (no name) - hXXp://www.beautifulwallpapers.com/wallpapers/art/xbonnell2t.jpg
- O24 - Desktop Component 3: (no name) - hXXp://ctones.telstra.com/web/theme/image/bodybg.gif
- O24 - Desktop Component 4: (no name) - hXXp://www.google.com.au/logos/halloween07.gif
- O24 - Desktop Component 5: (no name) - hXXp://s3.amazonaws.com/kickflip/familyguyquotes/images/1476697443470595ffb66d80 _45360675_thumb.jpg

*** I assume these files can be deleted via:

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select everything you find in there (except for "My current home page") and press the delete button on the right.
Hit ok below > apply in previous window.

Then delete the file C:\Program Files\Internet Explorer\

[Maxx_original]

as Vlk said - Alureon is really complex piece of malware... the solution of the problem is harder, because the infection is already there (the former AV didn't block it)... you can try MSRT..

[micky77]

I don't suppose it would make any difference,but if you just click on files, then scan with Rootrepeal, does the file  C:\WINDOWS\system32\drivers\ytasfwvbcxvvti.sys show at all ?