TechSpot

Browser redirect and pop ups

By saintcav
Oct 13, 2010
  1. A neighbor brought their laptop over and it seems they are getting web search re-directs, unable to get to windows updates, and are having some random pop-ups for the good make this much by working from home.

    Thank you for any help.

    Here are the scanned logs from the 8-step instructions:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4811

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/13/2010 10:43:01 AM
    mbam-log-2010-10-13 (10-43-01).txt

    Scan type: Quick scan
    Objects scanned: 142402
    Time elapsed: 5 minute(s), 36 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 15
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15315 - http://www.gmer.net
    Rootkit scan 2010-10-13 11:25:28
    Windows 5.1.2600 Service Pack 3
    Running: 9ku3jcbs.exe; Driver: C:\DOCUME~1\DDIALB~1\LOCALS~1\Temp\pxloapow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 9F3A1BFE ZwCreateKey
    SSDT 9F3A1BF4 ZwCreateThread
    SSDT 9F3A1C03 ZwDeleteKey
    SSDT 9F3A1C0D ZwDeleteValueKey
    SSDT 9F3A1C12 ZwLoadKey
    SSDT 9F3A1BE0 ZwOpenProcess
    SSDT 9F3A1BE5 ZwOpenThread
    SSDT 9F3A1C1C ZwReplaceKey
    SSDT 9F3A1C17 ZwRestoreKey
    SSDT 9F3A1C08 ZwSetValueKey

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[424] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E6000A
    .text C:\WINDOWS\Explorer.EXE[424] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E7000A
    .text C:\WINDOWS\Explorer.EXE[424] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E5000C
    .text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D9000A
    .text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DA000A
    .text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D8000C
    .text C:\WINDOWS\System32\svchost.exe[1368] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0195000A
    .text C:\WINDOWS\System32\svchost.exe[1368] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F2000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2748] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0117000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2748] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0118000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2748] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0116000C
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2748] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2748] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2748] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2748] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2748] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2748] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2748] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2748] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2748] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E3000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E4000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E2000C
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD135 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4EF0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2800] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Fastfat \Fat 9D488D20

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    ....Second post with remaining logs to come
     
  2. saintcav

    saintcav TS Rookie Topic Starter

    DDS (Ver_10-10-10.03) - NTFSx86
    Run by DDialbert at 13:20:06.03 on Wed 10/13/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.283 [GMT -4:00]

    AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\DDialbert\Local Settings\Temporary Internet Files\Content.IE5\P7S7YZ4R\dds[1].scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
    uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081117
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
    Notify: igfxcui - igfxdev.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-10-13 11608]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-10-13 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-10-13 267432]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-10-13 60936]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-11-17 105984]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    S4 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
    S4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]
    S4 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
    S4 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-9-10 265400]
    S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]

    =============== Created Last 30 ================

    2010-10-13 13:17:11 -------- d-----w- c:\docume~1\ddialb~1\applic~1\Malwarebytes
    2010-10-13 13:17:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-13 13:17:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-10-13 13:16:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-13 13:16:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-13 12:40:19 -------- d-----w- c:\windows\system32\NtmsData
    2010-10-13 12:39:52 -------- d-----w- c:\docume~1\ddialb~1\applic~1\Avira
    2010-10-13 12:35:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-10-13 12:35:23 -------- d-----w- c:\program files\Avira
    2010-10-13 12:35:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-10-05 17:00:16 -------- d-----w- C:\VundoFix Backups
    2010-10-05 16:20:48 -------- d-----w- c:\program files\Trend Micro
    2010-10-05 16:14:12 -------- d-----w- c:\windows\pss
    2010-10-05 15:10:55 -------- d-----w- c:\docume~1\ddialb~1\applic~1\AVG10
    2010-10-05 15:10:18 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
    2010-10-05 15:09:32 -------- d-----w- c:\windows\system32\drivers\AVG
    2010-10-05 15:09:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
    2010-10-05 14:35:09 -------- d--h--w- C:\$AVG
    2010-10-05 14:21:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2010-10-04 14:04:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-10-04 14:04:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-09-13 20:27:24 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys

    ==================== Find3M ====================


    ============= FINISH: 13:21:44.89 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-10.03)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 12/5/2008 10:18:16 AM
    System Uptime: 10/13/2010 12:10:54 PM (1 hours ago)

    Motherboard: Dell Inc. | | 0U990C
    Processor: Intel(R) Pentium(R) Dual CPU T2390 @ 1.86GHz | Microprocessor | 1862/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 99 GiB total, 83.946 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\EF5D9E1424FC000
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\EF5D9E1424FC000
    Service: NIC1394

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9
    Adobe Shockwave Player 11.5
    AVG 2011
    Avira AntiVir Personal - Free Antivirus
    CCleaner
    Compatibility Pack for the 2007 Office system
    Conexant HDA D330 MDC V.92 Modem
    Core FTP LE 2.1
    Dell Support Center
    Dell System Restore
    Dell Touchpad
    Dell Wireless WLAN Card Utility
    Digital Line Detect
    Documentation & Support Launcher
    Games, Music, & Photos Launcher
    Google Toolbar for Internet Explorer
    Google Update Helper
    GoToAssist 8.0.0.514
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB953955)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) Graphics Media Accelerator Driver
    Internet Service Offers Launcher
    Java(TM) 6 Update 7
    Malwarebytes' Anti-Malware
    MediaDirect
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft WSE 3.0 Runtime
    Modem Diagnostic Tool
    MSXML 6.0 Parser (KB927977)
    Musicmatch for Windows Media Player
    NetWaiting
    OutlookAddinSetup
    QuickSet
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    SeaWorld Adventure Park Tycoon
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Spybot - Search & Destroy
    The Sims™ 3
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB972636)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951618-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Presentation Foundation
    WinZip 12.0
    XML Paper Specification Shared Components Pack 1.0

    ==== Event Viewer Messages From Past Week ========

    10/13/2010 11:04:57 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the AntiVirSchedulerService service.

    ==== End Of File ===========================
     
  3. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Welcome aboard [​IMG]

    You're running two AV programs, AVG and Avira.
    One of them has to go.
    If AVG (preferably), use AVG Remover: http://www.avg.com/us-en/download-tools

    ======================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  4. saintcav

    saintcav TS Rookie Topic Starter

    Uninstalled AVG (what a pain that was...) and here are the 2 logs requested.

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 127):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xF7AF0000 \WINDOWS\system32\KDCOM.DLL
    0xF7A00000 \WINDOWS\system32\BOOTVID.dll
    0xF74C1000 ACPI.sys
    0xF7AF2000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF74B0000 pci.sys
    0xF75F0000 isapnp.sys
    0xF7A04000 compbatt.sys
    0xF7A08000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF7BB8000 pciide.sys
    0xF7870000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7600000 MountMgr.sys
    0xF7491000 ftdisk.sys
    0xF746B000 dmio.sys
    0xF7878000 PartMgr.sys
    0xF7610000 VolSnap.sys
    0xF7453000 atapi.sys
    0xF738C000 iaStor.sys
    0xF7620000 disk.sys
    0xF7630000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF736C000 fltMgr.sys
    0xF7640000 PxHelp20.sys
    0xF7355000 KSecDD.sys
    0xF72C8000 Ntfs.sys
    0xF729B000 NDIS.sys
    0xF7650000 ohci1394.sys
    0xF7660000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF7281000 Mup.sys
    0xF7670000 AVGIDSEH.Sys
    0xF76A0000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF6094000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
    0xF6080000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF78F8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF605C000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7900000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF6034000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF5FF3000 \SystemRoot\system32\DRIVERS\yk51x86.sys
    0xF5FDF000 \SystemRoot\system32\DRIVERS\sdbus.sys
    0xF76B0000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
    0xF5FCB000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
    0xF5F7A000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
    0xF76C0000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF5F4E000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
    0xF76D0000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
    0xF5ED3000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
    0xF7908000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7910000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF76E0000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF76F0000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF7700000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF5EB0000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF7220000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xF721C000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xF7CE1000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7710000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7218000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF5E99000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF7720000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF6AB0000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7918000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF5E88000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF6AA0000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7920000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7928000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF5E58000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF6A90000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7B36000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF5DFA000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7200000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF6A80000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xAA460000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7B74000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xA6737000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
    0xA6645000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
    0xA6592000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xA7E78000 \SystemRoot\System32\Drivers\Modem.SYS
    0xA6573000 \SystemRoot\system32\drivers\IntcHdmi.sys
    0xA654F000 \SystemRoot\system32\drivers\portcls.sys
    0xA775C000 \SystemRoot\system32\drivers\drmk.sys
    0xA6391000 \SystemRoot\system32\drivers\sthda.sys
    0xA2720000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF7B68000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xA2E33000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7B6A000 \SystemRoot\System32\Drivers\Beep.SYS
    0xA24DB000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xA24D3000 \SystemRoot\System32\drivers\vga.sys
    0xF7B6C000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7B76000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xA2073000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xA206B000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xA2718000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xA1827000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xA17CE000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xA17A6000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xA1780000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xA175E000 \SystemRoot\System32\drivers\afd.sys
    0xA2CA0000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xA2C90000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xA1733000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xA16C3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xA25E5000 \SystemRoot\System32\Drivers\Fips.SYS
    0xA2700000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
    0xA25B5000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xA15FC000 \SystemRoot\System32\Drivers\dump_iaStor.sys
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xA1FD1000 \SystemRoot\System32\drivers\Dxapi.sys
    0xA205B000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7C06000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF024000 \SystemRoot\System32\igxpgd32.dll
    0xBF012000 \SystemRoot\System32\igxprd32.dll
    0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
    0xBF1D9000 \SystemRoot\System32\igxpdx32.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xA8466000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA1597000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA9975000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA1334000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xA137D000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xA1265000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA0F54000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA0B69000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xA2DDB000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xA0B54000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xA0949000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 39):
    0 System Idle Process
    4 System
    628 C:\WINDOWS\system32\smss.exe
    684 csrss.exe
    708 C:\WINDOWS\system32\winlogon.exe
    756 C:\WINDOWS\system32\services.exe
    768 C:\WINDOWS\system32\lsass.exe
    948 C:\WINDOWS\system32\svchost.exe
    1020 svchost.exe
    1120 C:\WINDOWS\system32\svchost.exe
    1224 svchost.exe
    1304 svchost.exe
    1460 C:\WINDOWS\system32\spoolsv.exe
    1776 C:\Program Files\Google\Update\GoogleUpdate.exe
    1864 C:\WINDOWS\explorer.exe
    620 svchost.exe
    1188 wdfmgr.exe
    2404 alg.exe
    2752 C:\WINDOWS\system32\ctfmon.exe
    2840 C:\Program Files\DellTPad\Apoint.exe
    2916 C:\Program Files\Sigmatel\C-Major Audio\WDM\stsystra.exe
    2984 C:\WINDOWS\system32\hkcmd.exe
    3032 C:\WINDOWS\system32\igfxpers.exe
    3040 C:\WINDOWS\system32\igfxsrvc.exe
    3056 C:\WINDOWS\system32\WLTRAY.EXE
    3164 C:\Program Files\Dell\MediaDirect\PCMService.exe
    3304 C:\Program Files\Digital Line Detect\DLG.exe
    3316 C:\Program Files\WinZip\WZQKPICK.EXE
    3420 C:\Program Files\DellTPad\ApMsgFwd.exe
    3452 C:\Program Files\DellTPad\hidfind.exe
    3464 C:\Program Files\DellTPad\ApntEx.exe
    3824 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1300 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    2256 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    4088 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    3132 C:\Program Files\Internet Explorer\iexplore.exe
    2128 C:\Program Files\Internet Explorer\iexplore.exe
    2464 C:\Program Files\Internet Explorer\iexplore.exe
    3924 C:\Documents and Settings\DDialbert\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`04e71400 (NTFS)

    PhysicalDrive0 Model Number: WDCWD1200BEVT-75ZCT2, Rev: 11.01A11

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: 49317473774A146FB87EC5200B1C6B80AB2FF32D


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!

    ComboFix 10-10-12.03 - DDialbert 10/14/2010 9:06.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.658 [GMT -4:00]
    Running from: c:\documents and settings\DDialbert\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\DDialbert\Local Settings\Application Data\{FB856E86-B01B-449D-BBD7-3FA88A81A11C}
    c:\documents and settings\DDialbert\Local Settings\Application Data\{FB856E86-B01B-449D-BBD7-3FA88A81A11C}\chrome.manifest
    c:\documents and settings\DDialbert\Local Settings\Application Data\{FB856E86-B01B-449D-BBD7-3FA88A81A11C}\chrome\content\_cfg.js
    c:\documents and settings\DDialbert\Local Settings\Application Data\{FB856E86-B01B-449D-BBD7-3FA88A81A11C}\chrome\content\overlay.xul
    c:\documents and settings\DDialbert\Local Settings\Application Data\{FB856E86-B01B-449D-BBD7-3FA88A81A11C}\install.rdf

    Infected copy of c:\windows\system32\drivers\dmio.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MYWEBSEARCHSERVICE


    ((((((((((((((((((((((((( Files Created from 2010-09-14 to 2010-10-14 )))))))))))))))))))))))))))))))
    .

    2010-10-14 12:47 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-10-14 12:47 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-10-14 12:47 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-10-14 12:47 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-10-14 12:47 . 2010-10-14 12:47 -------- d-----w- c:\program files\Avira
    2010-10-14 12:47 . 2010-10-14 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-10-13 13:30 . 2010-10-13 13:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-10-13 13:17 . 2010-10-13 13:17 -------- d-----w- c:\documents and settings\DDialbert\Application Data\Malwarebytes
    2010-10-13 13:17 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-13 13:17 . 2010-10-13 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-13 13:16 . 2010-10-13 13:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-13 13:16 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-13 12:40 . 2010-10-13 13:06 -------- d-----w- c:\windows\system32\NtmsData
    2010-10-05 17:00 . 2010-10-05 17:00 -------- d-----w- C:\VundoFix Backups
    2010-10-05 16:20 . 2010-10-05 16:20 -------- d-----w- c:\program files\Trend Micro
    2010-10-05 15:10 . 2010-10-05 15:10 -------- d-----w- c:\documents and settings\DDialbert\Application Data\AVG10
    2010-10-05 15:10 . 2010-10-05 15:10 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2010-10-05 15:09 . 2010-10-14 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2010-10-05 14:35 . 2010-10-05 14:35 -------- d-----w- C:\$AVG
    2010-10-05 14:21 . 2010-10-14 12:02 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2010-10-04 14:04 . 2010-10-05 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-10-04 14:04 . 2010-10-04 14:05 -------- d-----w- c:\program files\Spybot - Search & Destroy

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-03-19 167936]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2008-03-19 405504]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-19 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-19 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-19 137752]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-30 2220032]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
    "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-11-17 50688]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-10 525664]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2008-11-17 07:20 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "wltrysvc"=2 (0x2)
    "stllssvr"=3 (0x3)
    "STacSV"=2 (0x2)
    "ose"=3 (0x3)
    "odserv"=3 (0x3)
    "idsvc"=3 (0x3)
    "gusvc"=3 (0x3)
    "gupdate"=2 (0x2)
    "GoToAssist"=3 (0x3)
    "avgwd"=2 (0x2)
    "AVGIDSAgent"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 25680]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/14/2010 8:47 AM 135336]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [11/17/2008 4:43 AM 105984]
    S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 5:34 PM 135664]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-14 c:\windows\Tasks\CCleaner.job
    - c:\progra~1\CCleaner\CCleaner.exe [2010-09-24 17:54]

    2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 21:34]

    2010-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 21:34]

    2010-10-14 c:\windows\Tasks\User_Feed_Synchronization-{CB1AB0A0-B178-4D1C-B338-EC92C4F37F95}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1081117
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)


    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(712)
    c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
    c:\windows\System32\BCMLogon.dll

    - - - - - - - > 'explorer.exe'(3352)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\igfxsrvc.exe
    c:\program files\DellTPad\ApMsgFwd.exe
    c:\program files\DellTPad\HidFind.exe
    c:\program files\DellTPad\Apntex.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-14 09:14:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-14 13:14

    Pre-Run: 89,807,101,952 bytes free
    Post-Run: 90,043,133,952 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 2DD7283EFC1D109F8FE2AAEC550D9220
     
  5. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    How is redirection?

    Your MBR seems to be infected.

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, run MBRCheck again and post its log.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...