TechSpot

[Closed] IE8 and Mozilla redirect / I'm following the 8 step program

By tmandato
Dec 9, 2010
Topic Status:
Not open for further replies.
  1. I'm working on a friend's PC that had no anti-virus, firewall, etc. Primary symptom is IE and Firefox redirecting to random sites. I've removed things before from my own computer, but that was at least 3 yrs ago, and I haven't had a single problem since installing Symantec, so I'm now out of practice and stumped. incidentally, AVG occasionally pops up with a threat, and by the time you respond to say 'remove it' the file is gone. This machine certainly has a gremlin!

    Though not asked for, I see a BHO (first one) in hijack this that looks suspicious, so I put my hijack this log at the bottom of this post.

    Thanks for looking at this for me!
    Tony

    I'll have to follow up with some of the logs, turns out they are too long and it won't allow me to post all of this at once...

    Steps 1-6 of the 8 Step program for virus addiction:

    1. AVG installed, removed some trojans and other viruses.
    2. TFC executed
    3. Malware run - initially it removed some things, but I ran it before finding this forum. Now it runs clean.
    Here is the most recent log, I have the other one but I'm having a bear of a time posting to this forum with all these logs and keep the post under 50000 chars. :
    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5272

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/9/2010 12:14:45 PM
    mbam-log-2010-12-09 (12-14-45).txt

    Scan type: Quick scan
    Objects scanned: 137432
    Time elapsed: 1 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    4. GMER log:
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-09 12:22:41
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3250410AS rev.3.AAF
    Running: tlfd432w.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kggorkow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA52A76C0]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA52A7770]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA52A7810]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA52A78B0]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB63FC3A0, 0x59FFE5, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[384] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF000A
    .text C:\WINDOWS\Explorer.EXE[384] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D0000A
    .text C:\WINDOWS\Explorer.EXE[384] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CE000C
    .text C:\Program Files\Internet Explorer\iexplore.exe[1408] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DD000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[1408] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DE000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[1408] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A3000C
    .text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 037D14C7 C:\Documents and Settings\User\Application Data\Sun\fuvvn.dll (2,3,1,0/Sun Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 037D1319 C:\Documents and Settings\User\Application Data\Sun\fuvvn.dll (2,3,1,0/Sun Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1408] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E538F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\WINDOWS\System32\svchost.exe[1600] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F1000A
    .text C:\WINDOWS\System32\svchost.exe[1600] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F2000A
    .text C:\WINDOWS\System32\svchost.exe[1600] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00AD000C
    .text C:\WINDOWS\System32\svchost.exe[1600] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01FD000A
    .text C:\WINDOWS\System32\svchost.exe[1600] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00FA000A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Internet Explorer\iexplore.exe[1408] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A9DB39B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A9DB39B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A9DB39B

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3250410AS_____________________________3.AAF___#5&1d2302db&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- EOF - GMER 1.0.15 ----

    5. DDS "Attach.txt":
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-05.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/2/2010 1:27:36 PM
    System Uptime: 12/9/2010 12:05:42 PM (0 hours ago)

    Motherboard: Dell Inc. | | 0WG860
    Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz | Microprocessor | 2394/1066mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 233 GiB total, 210.029 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP28: 9/10/2010 3:56:14 PM - Installed Windows XP WgaNotify.
    RP29: 9/10/2010 9:48:21 PM - Software Distribution Service 3.0
    RP30: 9/12/2010 10:56:35 AM - System Checkpoint
    RP31: 9/13/2010 11:03:16 AM - System Checkpoint
    RP32: 9/15/2010 4:41:54 PM - System Checkpoint
    RP33: 9/15/2010 10:35:46 PM - Software Distribution Service 3.0
    RP34: 9/17/2010 5:29:56 PM - System Checkpoint
    RP35: 9/19/2010 11:26:57 AM - System Checkpoint
    RP36: 9/20/2010 11:46:47 AM - System Checkpoint
    RP37: 9/21/2010 2:36:40 PM - System Checkpoint
    RP38: 9/22/2010 2:42:22 PM - System Checkpoint
    RP39: 9/23/2010 9:36:21 AM - Avg Update
    RP40: 9/23/2010 9:37:14 AM - Avg Update
    RP41: 9/24/2010 3:55:22 PM - System Checkpoint
    RP42: 9/25/2010 4:31:28 PM - System Checkpoint
    RP43: 9/26/2010 4:47:07 PM - System Checkpoint
    RP44: 9/27/2010 5:24:57 PM - System Checkpoint
    RP45: 9/28/2010 5:51:39 PM - System Checkpoint
    RP46: 9/29/2010 6:06:47 PM - System Checkpoint
    RP47: 9/29/2010 9:11:15 PM - Software Distribution Service 3.0
    RP48: 10/1/2010 3:48:03 PM - System Checkpoint
    RP49: 10/2/2010 4:36:22 PM - System Checkpoint
    RP50: 10/3/2010 5:20:29 PM - System Checkpoint
    RP51: 10/4/2010 2:00:27 PM - Avg Update
    RP52: 10/5/2010 2:21:43 PM - System Checkpoint
    RP53: 10/6/2010 3:39:42 PM - System Checkpoint
    RP54: 10/6/2010 4:23:15 PM - Installed QuickTime
    RP55: 10/7/2010 5:06:31 PM - System Checkpoint
    RP56: 10/8/2010 6:00:49 PM - System Checkpoint
    RP57: 10/9/2010 6:47:44 PM - System Checkpoint
    RP58: 10/10/2010 7:46:39 PM - System Checkpoint
    RP59: 10/11/2010 7:46:46 PM - System Checkpoint
    RP60: 10/12/2010 8:46:46 PM - System Checkpoint
    RP61: 10/14/2010 3:27:01 PM - System Checkpoint
    RP62: 10/14/2010 10:02:18 PM - Software Distribution Service 3.0
    RP63: 10/16/2010 10:41:36 AM - System Checkpoint
    RP64: 10/17/2010 10:42:37 AM - System Checkpoint
    RP65: 10/17/2010 7:52:07 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    RP66: 10/17/2010 7:52:16 PM - Installed AVG 2011
    RP67: 10/17/2010 7:53:04 PM - Removed AVG Free 9.0
    RP68: 10/17/2010 7:55:59 PM - Installed AVG 2011
    RP69: 10/19/2010 3:06:26 PM - System Checkpoint
    RP70: 10/20/2010 3:38:37 PM - System Checkpoint
    RP71: 10/22/2010 3:59:38 PM - System Checkpoint
    RP72: 10/23/2010 4:49:06 PM - System Checkpoint
    RP73: 10/24/2010 4:53:43 PM - System Checkpoint
    RP74: 10/25/2010 5:21:00 PM - System Checkpoint
    RP75: 10/26/2010 6:04:50 PM - System Checkpoint
    RP76: 10/27/2010 6:42:03 PM - System Checkpoint
    RP77: 10/28/2010 7:49:39 PM - System Checkpoint
    RP78: 10/30/2010 12:20:53 PM - System Checkpoint
    RP79: 10/31/2010 12:39:25 PM - System Checkpoint
    RP80: 11/1/2010 2:23:43 PM - System Checkpoint
    RP81: 11/2/2010 2:29:34 PM - System Checkpoint
    RP82: 11/3/2010 2:40:44 PM - System Checkpoint
    RP83: 11/4/2010 3:03:04 PM - System Checkpoint
    RP84: 11/5/2010 4:10:43 PM - System Checkpoint
    RP85: 11/6/2010 2:57:35 PM - Removed OpenOffice.org 3.1
    RP86: 11/6/2010 2:59:00 PM - Installed OpenOffice.org 3.2
    RP87: 11/7/2010 2:55:54 PM - System Checkpoint
    RP88: 11/8/2010 3:20:11 PM - System Checkpoint
    RP89: 11/9/2010 3:42:11 PM - System Checkpoint
    RP90: 11/10/2010 4:28:10 PM - System Checkpoint
    RP91: 11/10/2010 8:18:24 PM - Software Distribution Service 3.0
    RP92: 11/11/2010 9:06:27 PM - System Checkpoint
    RP93: 11/13/2010 9:43:52 AM - System Checkpoint
    RP94: 11/14/2010 10:03:21 AM - System Checkpoint
    RP95: 11/15/2010 1:07:14 PM - System Checkpoint
    RP96: 11/16/2010 1:28:19 PM - System Checkpoint
    RP97: 11/17/2010 1:28:59 PM - System Checkpoint
    RP98: 11/18/2010 1:46:08 PM - System Checkpoint
    RP99: 11/19/2010 2:07:18 PM - System Checkpoint
    RP100: 11/20/2010 2:56:33 PM - System Checkpoint
    RP101: 11/21/2010 3:56:54 PM - System Checkpoint
    RP102: 11/22/2010 4:06:33 PM - System Checkpoint
    RP103: 11/23/2010 4:22:33 PM - System Checkpoint
    RP104: 11/24/2010 4:50:59 PM - System Checkpoint
    RP105: 11/25/2010 5:28:21 PM - System Checkpoint
    RP106: 11/26/2010 6:22:51 PM - System Checkpoint
    RP107: 11/28/2010 10:18:35 AM - System Checkpoint
    RP108: 11/29/2010 12:46:11 PM - System Checkpoint
    RP109: 11/30/2010 1:25:09 PM - System Checkpoint
    RP110: 12/1/2010 2:35:24 PM - System Checkpoint
    RP111: 12/2/2010 3:07:06 PM - System Checkpoint
    RP112: 12/4/2010 9:05:43 AM - System Checkpoint
    RP113: 12/5/2010 9:48:25 AM - System Checkpoint
    RP114: 12/6/2010 2:13:52 PM - System Checkpoint
    RP115: 12/6/2010 5:30:38 PM - Restore Operation
    RP116: 12/8/2010 12:43:14 PM - System Checkpoint
    RP117: 12/8/2010 5:03:30 PM - Removed AVG 2011

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    32 bit Windows Card Reader Driver
    3600_Help
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.4.1
    Apple Application Support
    Apple Software Update
    AVG 2011
    BPD_Scan
    BPDSoftware
    BPDSoftware_Ini
    BufferChm
    Conexant HDA D110 MDC V.92 Modem
    CustomerResearchQFolder
    Destinations
    DeviceManagementQFolder
    DocProc
    DocProcQFolder
    eSupportQFolder
    Fax
    Google Earth Plug-in
    Google Toolbar for Internet Explorer
    Google Update Helper
    High Definition Audio Driver Package - KB835221
    HiJackThis
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB981793)
    HP Customer Participation Program 8.0
    HP Imaging Device Functions 8.0
    HP OCR Software 8.0
    HP Officejet J3600 Series
    HP Solution Center 8.0
    HP Update
    HPProductAssistant
    HPSSupply
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    J3600
    Java(TM) 6 Update 16
    Kung Fu Panda(TM)
    Logitech Gaming Software 5.08
    Malwarebytes' Anti-Malware
    MarketResearch
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.12)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    OpenOffice.org 3.2
    ProductContext
    QuickTime
    Scan
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SigmaTel Audio
    SolutionCenter
    Status
    Super Collapse 3
    Super Collapse 3 (remove only)
    Toolbox
    TrayApp
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    Yahoo! Install Manager
    Yahoo! Software Update

    ==== Event Viewer Messages From Past Week ========

    12/8/2010 2:14:31 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    12/8/2010 2:07:31 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126ADB-2166-11D1-B1D0-00805FC1270E}
    12/8/2010 11:35:58 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    12/7/2010 12:31:18 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
    12/7/2010 12:03:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    12/7/2010 12:03:18 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 Fips intelppm
    12/7/2010 12:03:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/7/2010 11:26:21 AM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
    12/6/2010 8:40:48 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    12/6/2010 6:17:14 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    ==== End Of File ===========================

    DDS "DDS.txt"
    DDS (Ver_10-12-05.01) - NTFSx86
    Run by User at 12:24:44.84 on Thu 12/09/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1805 [GMT -5:00]

    AV: AVG Internet Security 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Logitech\Gaming Software\LWEMon.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    svchost.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AVG\AVG10\avgui.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Program Files\AVG\AVG10\avgfws.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgchsvx.exe
    C:\Program Files\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\AVG\AVG10\avgam.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Documents and Settings\User\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/
    mDefault_Page_URL = hxxp://www.broadentechnologies.com/shop
    mStart Page = hxxp://www.broadentechnologies.com/shop
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    mASetup: {927E1ED5-CA30-418E-AD03-13B7DA4B46BD} - rundll32.exe "c:\documents and settings\user\application data\sun\fuvvn.dll", UnregisterDll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\783fuha4.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbb8d59&v=6.010.023.001&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Extension: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
    FF - Extension: AVG Security Toolbar em:version=6.010.023.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
    R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-9 3229728]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-28 136176]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-17 517448]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]

    =============== Created Last 30 ================

    2010-12-08 18:05:43 -------- d-----w- c:\docume~1\user\locals~1\applic~1\AVG Security Toolbar
    2010-12-08 16:04:06 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
    2010-12-08 16:04:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-08 16:04:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-12-08 16:03:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-08 16:03:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-07 17:51:13 388096 ----a-r- c:\docume~1\user\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2010-12-07 17:51:13 -------- d-----w- c:\program files\Trend Micro
    2010-12-07 17:17:55 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Mozilla
    2010-12-07 00:22:12 -------- d-----w- c:\windows\system32\%APPDATA%
    2010-12-06 22:31:25 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2010-12-06 22:31:25 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-11-26 16:39:04 1063320 ----a-w- c:\documents and settings\user\gotomypc_533.exe

    ==================== Find3M ====================

    2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-14 15:00:33 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2010-09-14 15:00:33 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2010-09-14 15:00:28 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3250410AS rev.3.AAF -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A9DB555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a9e17b0]; MOV EAX, [0x8a9e182c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AA3AAB8]
    3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A99C340]
    \Driver\atapi[0x8AA62200] -> IRP_MJ_CREATE -> 0x8A9DB555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3250410AS_____________________________3.AAF___#5&1d2302db&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A9DB39B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 12:25:51.98 ===============

    Hijack this
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:05:53 PM, on 12/9/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Logitech\Gaming Software\LWEMon.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AVG\AVG10\avgui.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Program Files\AVG\AVG10\avgfws.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgchsvx.exe
    C:\Program Files\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Program Files\AVG\AVG10\avgam.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.broadentechnologies.com/shop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.broadentechnologies.com/shop
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
    O23 - Service: AVG Firewall (avgfws) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgfws.exe
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 7649 bytes
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The curious want to know: If you have Norton installed and have been happy with it, how is it that AVG is 'popping up' giving you alerts?
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry- I just couldn't resist that! Welcome to TechSpot! I'll help you sort through the problem. I am confused though- the logs are full of AVG v2011, but the last restore point is: RP117: 12/8/2010 5:03:30 PM - Removed AVG 2011

    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ===========================================
    Follow with Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ====================================
    Please leave logs for both of the above programs in your next reply.

    I'm going to have you run Combofix after I see these logs- don't do it yet! The only reason I'll telling you ahead is because of AVG. If it's out, get these programs on the desktop, then run the scans with it out.

    If it is still installed, you will need to uninstall it before running Combofix.

    We're not ready for HJT yet.

    Important!Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  4. tmandato

    tmandato TS Rookie Topic Starter Posts: 16

    before I begin

    I'm about to begin following your instructions.

    "For the curious": Norton runs on MY machine at home. I'm at a friend's house right now...
     
  5. tmandato

    tmandato TS Rookie Topic Starter Posts: 16

    where is tds log

    While ESET continues to run, where do I find a log from TDSkiller? I did create a quarantine...
     
  6. tmandato

    tmandato TS Rookie Topic Starter Posts: 16

    never mind - found it
     
  7. tmandato

    tmandato TS Rookie Topic Starter Posts: 16

    TDS and ESET logs

    2010/12/09 15:06:43.0890 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
    2010/12/09 15:06:43.0890 ================================================================================
    2010/12/09 15:06:43.0890 SystemInfo:
    2010/12/09 15:06:43.0890
    2010/12/09 15:06:43.0890 OS Version: 5.1.2600 ServicePack: 3.0
    2010/12/09 15:06:43.0890 Product type: Workstation
    2010/12/09 15:06:43.0890 ComputerName: USER-543C36A348
    2010/12/09 15:06:43.0890 UserName: User
    2010/12/09 15:06:43.0890 Windows directory: C:\WINDOWS
    2010/12/09 15:06:43.0890 System windows directory: C:\WINDOWS
    2010/12/09 15:06:43.0890 Processor architecture: Intel x86
    2010/12/09 15:06:43.0890 Number of processors: 2
    2010/12/09 15:06:43.0890 Page size: 0x1000
    2010/12/09 15:06:43.0890 Boot type: Normal boot
    2010/12/09 15:06:43.0890 ================================================================================
    2010/12/09 15:06:44.0078 Initialize success
    2010/12/09 15:07:08.0281 ================================================================================
    2010/12/09 15:07:08.0281 Scan started
    2010/12/09 15:07:08.0281 Mode: Manual;
    2010/12/09 15:07:08.0281 ================================================================================
    2010/12/09 15:07:09.0296 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/12/09 15:07:09.0328 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/12/09 15:07:09.0390 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/12/09 15:07:09.0453 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/12/09 15:07:09.0578 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2010/12/09 15:07:09.0656 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/12/09 15:07:09.0703 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/12/09 15:07:09.0750 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/12/09 15:07:09.0812 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/12/09 15:07:09.0859 Avgfwdx (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
    2010/12/09 15:07:09.0875 Avgfwfd (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
    2010/12/09 15:07:09.0906 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
    2010/12/09 15:07:09.0921 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
    2010/12/09 15:07:09.0984 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
    2010/12/09 15:07:10.0000 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
    2010/12/09 15:07:10.0015 Avgldx86 (1119e5bec6e749e0d292f0f84d48edba) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
    2010/12/09 15:07:10.0031 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
    2010/12/09 15:07:10.0046 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
    2010/12/09 15:07:10.0078 Avgtdix (354e0fec3bfdfa9c369e0f67ac362f9f) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
    2010/12/09 15:07:10.0125 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/12/09 15:07:10.0171 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/12/09 15:07:10.0203 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/12/09 15:07:10.0234 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/12/09 15:07:10.0281 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/12/09 15:07:10.0390 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/12/09 15:07:10.0421 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/12/09 15:07:10.0468 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/12/09 15:07:10.0484 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/12/09 15:07:10.0546 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/12/09 15:07:10.0578 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/12/09 15:07:10.0625 e1express (6f7ccd3c02b26d530900f06d98171a69) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
    2010/12/09 15:07:10.0703 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/12/09 15:07:10.0750 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2010/12/09 15:07:10.0765 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/12/09 15:07:10.0781 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2010/12/09 15:07:10.0796 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/12/09 15:07:10.0812 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/12/09 15:07:10.0828 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/12/09 15:07:10.0843 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/12/09 15:07:10.0859 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2010/12/09 15:07:10.0875 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/12/09 15:07:10.0937 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    2010/12/09 15:07:10.0968 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    2010/12/09 15:07:11.0000 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    2010/12/09 15:07:11.0046 HSFHWAZL (4de608a118365fd2671ece7a0f99f55b) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
    2010/12/09 15:07:11.0093 HSF_DPV (f6511b1525b689218c1428feb7ab48d0) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
    2010/12/09 15:07:11.0140 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/12/09 15:07:11.0218 ialm (6fcb904910da07c9dc2593d66438fa29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
    2010/12/09 15:07:11.0296 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/12/09 15:07:11.0359 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/12/09 15:07:11.0406 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/12/09 15:07:11.0468 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/12/09 15:07:11.0515 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/12/09 15:07:11.0562 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/12/09 15:07:11.0593 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/12/09 15:07:11.0640 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/12/09 15:07:11.0687 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/12/09 15:07:11.0718 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/12/09 15:07:11.0734 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2010/12/09 15:07:11.0750 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/12/09 15:07:11.0796 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/12/09 15:07:11.0859 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2010/12/09 15:07:11.0890 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/12/09 15:07:12.0062 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/12/09 15:07:12.0156 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/12/09 15:07:12.0203 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/12/09 15:07:12.0218 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/12/09 15:07:12.0234 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/12/09 15:07:12.0281 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/12/09 15:07:12.0296 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/12/09 15:07:12.0328 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/12/09 15:07:12.0343 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/12/09 15:07:12.0359 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/12/09 15:07:12.0390 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/12/09 15:07:12.0406 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/12/09 15:07:12.0437 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/12/09 15:07:12.0453 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/12/09 15:07:12.0468 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/12/09 15:07:12.0484 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/12/09 15:07:12.0500 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/12/09 15:07:12.0500 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/12/09 15:07:12.0562 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/12/09 15:07:12.0593 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2010/12/09 15:07:12.0609 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/12/09 15:07:12.0625 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/12/09 15:07:12.0687 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
    2010/12/09 15:07:12.0703 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/12/09 15:07:12.0937 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2010/12/09 15:07:13.0093 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/12/09 15:07:13.0109 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/12/09 15:07:13.0156 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2010/12/09 15:07:13.0171 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2010/12/09 15:07:13.0203 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/12/09 15:07:13.0234 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/12/09 15:07:13.0234 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/12/09 15:07:13.0328 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/12/09 15:07:13.0359 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/12/09 15:07:13.0468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/12/09 15:07:13.0484 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/12/09 15:07:13.0500 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/12/09 15:07:13.0609 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/12/09 15:07:13.0625 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/12/09 15:07:13.0640 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/12/09 15:07:13.0656 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/12/09 15:07:13.0671 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/12/09 15:07:13.0687 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/12/09 15:07:13.0703 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/12/09 15:07:13.0734 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/12/09 15:07:13.0781 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/12/09 15:07:13.0828 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/12/09 15:07:13.0859 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2010/12/09 15:07:13.0875 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/12/09 15:07:13.0921 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/12/09 15:07:13.0953 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/12/09 15:07:13.0984 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/12/09 15:07:14.0046 STHDA (797fcc1d859b203958e915bb82528da9) C:\WINDOWS\system32\drivers\sthda.sys
    2010/12/09 15:07:14.0078 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/12/09 15:07:14.0093 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/12/09 15:07:14.0187 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/12/09 15:07:14.0250 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/12/09 15:07:14.0281 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/12/09 15:07:14.0312 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/12/09 15:07:14.0328 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/12/09 15:07:14.0390 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/12/09 15:07:14.0421 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/12/09 15:07:14.0468 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/12/09 15:07:14.0484 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/12/09 15:07:14.0500 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/12/09 15:07:14.0515 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/12/09 15:07:14.0531 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/12/09 15:07:14.0546 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/12/09 15:07:14.0578 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/12/09 15:07:14.0609 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/12/09 15:07:14.0625 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/12/09 15:07:14.0671 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/12/09 15:07:14.0734 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
    2010/12/09 15:07:14.0765 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/12/09 15:07:14.0828 winachsf (ea643e1f001ffd58ef9f28277dc4a1ea) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    2010/12/09 15:07:14.0890 WmBEnum (84a90f13eebf4380345ef9474d30f10e) C:\WINDOWS\system32\drivers\WmBEnum.sys
    2010/12/09 15:07:14.0921 WmFilter (eb0034ac02a44dc784a3174d2b81e764) C:\WINDOWS\system32\drivers\WmFilter.sys
    2010/12/09 15:07:14.0968 WmVirHid (72c4f5a748c74d8d4016ccfa7367210f) C:\WINDOWS\system32\drivers\WmVirHid.sys
    2010/12/09 15:07:14.0984 WmXlCore (eacdcced934a185e61ce0684f71c2dec) C:\WINDOWS\system32\drivers\WmXlCore.sys
    2010/12/09 15:07:15.0015 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2010/12/09 15:07:15.0046 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2010/12/09 15:07:15.0093 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2010/12/09 15:07:15.0093 ================================================================================
    2010/12/09 15:07:15.0093 Scan finished
    2010/12/09 15:07:15.0093 ================================================================================
    2010/12/09 15:07:15.0093 Detected object count: 1
    2010/12/09 15:07:46.0515 \HardDisk0 - copied to quarantine
    2010/12/09 15:07:46.0546 \HardDisk0\TDLFS\cfg.ini - copied to quarantine
    2010/12/09 15:07:46.0609 \HardDisk0\TDLFS\mbr - copied to quarantine
    2010/12/09 15:07:46.0609 \HardDisk0\TDLFS\bckfg.tmp - copied to quarantine
    2010/12/09 15:07:46.0609 \HardDisk0\TDLFS\cmd.dll - copied to quarantine
    2010/12/09 15:07:46.0609 \HardDisk0\TDLFS\ldr16 - copied to quarantine
    2010/12/09 15:07:46.0609 \HardDisk0\TDLFS\ldr32 - copied to quarantine
    2010/12/09 15:07:46.0625 \HardDisk0\TDLFS\ldr64 - copied to quarantine
    2010/12/09 15:07:46.0625 \HardDisk0\TDLFS\drv64 - copied to quarantine
    2010/12/09 15:07:46.0625 \HardDisk0\TDLFS\cmd64.dll - copied to quarantine
    2010/12/09 15:07:46.0640 \HardDisk0\TDLFS\drv32 - copied to quarantine
    2010/12/09 15:07:46.0640 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Quarantine
    2010/12/09 15:08:42.0171 Deinitialize success




    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6415
    # api_version=3.0.2
    # EOSSerial=65417d7a1ba8ce4283d761c0ed1c2e63
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-09 08:46:20
    # local_time=2010-12-09 03:46:20 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=1032 16777173 100 98 0 49500476 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=36444
    # found=6
    # cleaned=0
    # scan_time=759
    C:\TDSSKiller_Quarantine\09.12.2010_15.06.43\boot0000\tdlfs0000\tsk0003.dta Win32/Olmarik.ADZ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\09.12.2010_15.06.43\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\09.12.2010_15.06.43\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.G trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\09.12.2010_15.06.43\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.G trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\09.12.2010_15.06.43\boot0000\tdlfs0000\tsk0008.dta Win64/Olmarik.A trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\09.12.2010_15.06.43\boot0000\tdlfs0000\tsk0009.dta a variant of Win32/Olmarik.AIZ trojan (unable to clean) 00000000000000000000000000000000 I
     
  8. tmandato

    tmandato TS Rookie Topic Starter Posts: 16

    Bobbye - I'm having trouble removing AVG. Gotta stop for today and will attack again tomorrow. Maybe after a reboot it will finish.
     
  9. tmandato

    tmandato TS Rookie Topic Starter Posts: 16

    Can't remove AVG. I have encountered a half-dozen errors, including services that couldn't be stopped. I went to admin tools, services and set the services to manual. reboot, try again. get more errors removing AVG. This program is itself a VIRUS! You can't disable it permanently and you can't remove it. (scream loudly here)

    How do i get rid of this POS??
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Yes, AVG has been making it difficult for all who have it:Once Combofix is on he desktop, do this:

    To Disable/Uninstall AVG:
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    • Click on Start> Run> type in services.msc> double click on each AVG Service> Change Startup type to Disabled> Stop the Services
    • Look in Tray and right click the icon(s). On the menu - select Check also Task Manager to see that it's not tricking you. Ctrl+Alt+Delete should open that one so that you can go over the relevant tabs.
    • You can shut things down from there by clicking on the processes so that they get blue. Then right click to get a small popup menu that allows you to terminate.

    If necessary:
    To disable the LinkScanner,
    • Open AVG User Interface.
    • Double-click on the LinkScanner.
    • Un-tick the option Enable AVG Search-Shield and Enable Active Surf-Shield.
    • Save the changes.
    Please do not forget to activate the LinkScanner again once you performed the tasks requiring its deactivation.

    To disable the Personal E-mail Scanner (if it is installed)
    • Open AVG User Interface.
    • In menu Tools select Advanced settings.
    • Go to E-mail Scanner - Servers - POP3, and click on the POP3 server (usually AutoPOP3:10110).
    • Un-tick the option Activate this server and use it for receiving e-mails.
    • Repeat the same for SMTP server.
    Please enable the servers that were enabled originally again when possible.
     
  11. tmandato

    tmandato TS Rookie Topic Starter Posts: 16

    When I go to the services tab, I cannot stop the services. However, by setting them to disabled, when I reboot, they are not active. I still get either get an error when uninstalling, or the machine hangs part way through. Right now, there are no icons in the main AVG application, as they have apparently been 'uninstalled', however the AVG icon is still in the windows tray and still comes up when I click it.

    If I go to add/remove programs, select AVG and click remove, it says there is nothing to remove.

    if I use the install program and select 'uninstall' it says there is a 'previously suspended' install that must be undone first, and then it crashes.

    right now I am running the install and trying to 'repair', then I'll go back through disabling the services and try to uninstall one more time.

    I have no confidence that this will work, as I've done it once already with no luck. Can I just delete all the program files and run some sort of registry cleaner? Is AVG itself considered malware? I haven't been this frustrated since Windows '98...
     
     
  12. tmandato

    tmandato TS Rookie Topic Starter Posts: 16

    again it says that a file is locked for exclusive access by another program, close all other programs and retry. There are no other programs running.
     
  13. tmandato

    tmandato TS Rookie Topic Starter Posts: 16

  14. tmandato

    tmandato TS Rookie Topic Starter Posts: 16

    AVG is gone. forever. Now where were we? Combofix is on my desktop, and I've developed an itchy trigger finger!
     
  15. tmandato

    tmandato TS Rookie Topic Starter Posts: 16

    "Ooh-ooh-ooooh!"
     
  16. tmandato

    tmandato TS Rookie Topic Starter Posts: 16

    ..........
     
  17. tmandato

    tmandato TS Rookie Topic Starter Posts: 16

    ComboFix 10-12-09.04 - User 12/11/2010 10:09:05.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2234 [GMT -5:00]
    Running from: c:\documents and settings\User\Desktop\ComboFix.exe
    FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\NetworkService\Local Settings\Application Data\syssvc.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
    .

    2010-12-09 20:22 . 2010-12-09 20:22 -------- d-----w- c:\program files\ESET
    2010-12-09 20:07 . 2010-12-09 20:07 -------- d-----w- C:\TDSSKiller_Quarantine
    2010-12-09 20:06 . 2010-12-09 21:37 -------- d-----w- C:\tony
    2010-12-08 18:05 . 2010-12-08 18:05 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\AVG Security Toolbar
    2010-12-08 17:45 . 2010-12-08 17:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2010-12-08 16:04 . 2010-12-08 16:04 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
    2010-12-08 16:04 . 2010-12-08 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-12-08 16:04 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-08 16:03 . 2010-12-08 21:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-08 16:03 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-07 17:51 . 2010-12-07 17:51 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-12-07 17:51 . 2010-12-07 17:51 -------- d-----w- c:\program files\Trend Micro
    2010-12-07 17:17 . 2010-12-07 17:17 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Mozilla
    2010-12-07 17:02 . 2010-12-07 17:03 -------- d-----w- c:\documents and settings\Administrator
    2010-12-07 00:22 . 2010-12-07 00:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo
    2010-12-07 00:22 . 2010-12-07 00:22 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
    2010-12-07 00:22 . 2010-12-07 00:22 -------- d-----w- c:\windows\system32\%APPDATA%
    2010-12-06 22:31 . 2010-12-06 22:31 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-12-06 22:20 . 2010-12-06 22:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2010-12-06 22:02 . 2010-12-06 22:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-11-26 16:39 . 2010-11-26 16:39 1063320 ----a-w- c:\documents and settings\User\gotomypc_533.exe
    2010-11-26 16:38 . 2010-11-26 16:38 -------- d-----w- c:\windows\Sun

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 16:23 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-06 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-06 114688]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-06 94208]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
    "Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-09-17 153608]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-06-02 18:28 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/28/2010 1:38 PM 136176]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-08 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-28 18:38]

    2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-09-28 18:38]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.broadentechnologies.com/shop
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\783fuha4.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbb8d59&v=6.010.023.001&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    - - - - ORPHANS REMOVED - - - -

    ActiveSetup-{927E1ED5-CA30-418E-AD03-13B7DA4B46BD} - h.txtDDS DDS.txtThanks for looking at this for me1TonySteps 1-6 of the 8 Step program for virus addictionIm wIm following the 8 step program...



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-11 10:14
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3250410AS rev.3.AAF -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A9D3555]<<
    c:\docume~1\User\LOCALS~1\Temp\catchme.sys
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a9d97b0]; MOV EAX, [0x8a9d982c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A9E5AB8]
    3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AA28A70]
    \Driver\atapi[0x8AA35F38] -> IRP_MJ_CREATE -> 0x8A9D3555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3250410AS_____________________________3.AAF___#5&1d2302db&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A9D339B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(700)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(760)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-12-11 10:17:29
    ComboFix-quarantined-files.txt 2010-12-11 15:17

    Pre-Run: 227,865,763,840 bytes free
    Post-Run: 228,038,381,568 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - B6CFD69F490F47B68F7972BBD4B3A49A
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Every time you make a new post, I get email notice. So right now, I'm dealing with 5 emails because you didn't use the Edit feature..This is the weekend, today in particular, Sunday. Allow me to have some time with my family and then I'll review the logs.

    Perhaps you weren't aware that we are all volunteer helpers here. Occasionally I try to remind myself that I do have another life. Sometimes, that means that the person with the malware problem must wait another day.

    But since you still have a rootkit, please run this while I eat lunch:

    Please download MBR Rootkit Detector and save it on your desktop.
    • Pause/Stop all antivirus/spyware active protection.
    • Then double click on mbr.exe to run it.
    • Select Run when you receive a Security Warning
    • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
    • A log file will the be created on your desktop where you ran mbr.exe
    • Copy and paste the contents of mbr.log on your next reply.
    ============================
     
  19. tmandato

    tmandato TS Rookie Topic Starter Posts: 16

    My sincerest apologies. I do understand the nature of your volunteer participation. I too was voluntarily trying to help a disabled/homebound neighbor. I made honest attempts to follow the guidelines of the forum, and did not see references to refraining from weekend use of the forum. I'm relatively sure that my PM to you prompted this response, and again, for that, I apologize. I was sincerely looking to join the fray (become a productive contributor), and should have refrained from referencing this thread in that message. I am sincere in this. You have knowledge and experience that is sorely needed by so many, and I am glad you volunteer your time. I feel worse than you know that I offended you this way. I did peek at your profile several times, and to my detriment, I saw that you do indeed go above and beyond helping others, even on the weekend. When I saw you posting to several other threads, some brand new, I assumed it was ok to interact, since you were online. Maybe TS should give you guys a stealh mode! I guess I was spying, so I was wrong in that regard. I shouldn't have tried to 'bump' my issue. (Now, my better judgment says I should shut up here, but I just can't! My judgment has already proven to be lacking. I need to seek psych help too :)

    I would like to respectfully suggest another "sticky" at the top of the forum to newbies like me, to help them participate appropriately and to alleviate the frustration of the volunteers who bring the real value to the site:
    1. please refrain from using the forum on weekends and allow the contributors some downtime.
    2. realize that each reply generates an email to thread 'subscribers', of which you (as the thread initiator) and your volunteer contributor will receive emails from. If you are actively working and feel compelled to send an update (you made a mistake or have a new revelation), try using the 'edit' feature to update a prior post to your thread, so as not to inundate the volunteer with multiple emails about your posts.
    3. Each contributor has there own method for managing the workload they take on voluntarily, and they help multiple members at a time. don't try to bump your thread to top thinking it will go to the top of their 'inbox', just let them do their thing. They'll get to you.

    I actually had no idea about the automated email responses, since I began the thread from the infected computer and was unable to retrieve my emails from that computer. I had to run home once or twice in the registration process, but was trying to fix her computer 'in situ', which precluded me from viewing my mail via webmail on her computer.

    please understand that I came to techspot and this forum as a total newbie, and this was my only experience. I tried to read and follow the instructions provided before I even began my help request, because I do respect the value of your time, and the free services provided here. I had to learn the functions of the threads, and apparently learned the hard way. I had no intention of hitting a gong next to your head with lots of email. I sincerely had no intention of ruining your weekend with my progress posts.

    I am tucking my tail and telling my neighbor that she'll need to seek help elsewhere (elsewhere from me, anyway) as I am out of my comfort zone now. I did utilize some of the tools referenced on this forum and others to try to remove the tds4 rootkit. I have no idea if it's really gone - I read enough to know that I don't know what I really need to know (you know that saying, you don't know how much you don't know until...) Anyway her stated purpose for buying the computer was for her grandchild to play educational games (i do see evidence of that) and it'll be fine for that. although I know that she also used it for banking and Rx renewals, which I think is why I got so zealous about it. I will inform her that she shouldn't us it for such sensitive transactions, as I don't have the experience to ensure the security of those activities with the computer in this 'working but unverified state'. I believe she has other options available to her, and letting her grandkid play 'kung-fu panda' on it shouldn't present a serious risk.

    I know that I can I get a bit of tunnel vision when a problem like this presents itself, and i didn't mean to make my problem yours.

    Thanks for your help, you may close this thread.
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thread closed at request of member.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.