[Closed] IE8 and Mozilla redirect / I'm following the 8 step program

Status
Not open for further replies.
T

tmandato

Posts: 16   +0
I'm working on a friend's PC that had no anti-virus, firewall, etc. Primary symptom is IE and Firefox redirecting to random sites. I've removed things before from my own computer, but that was at least 3 yrs ago, and I haven't had a single problem since installing Symantec, so I'm now out of practice and stumped. incidentally, AVG occasionally pops up with a threat, and by the time you respond to say 'remove it' the file is gone. This machine certainly has a gremlin!

Though not asked for, I see a BHO (first one) in hijack this that looks suspicious, so I put my hijack this log at the bottom of this post.

Thanks for looking at this for me!
Tony

I'll have to follow up with some of the logs, turns out they are too long and it won't allow me to post all of this at once...

Steps 1-6 of the 8 Step program for virus addiction:

1. AVG installed, removed some trojans and other viruses.
2. TFC executed
3. Malware run - initially it removed some things, but I ran it before finding this forum. Now it runs clean.
Here is the most recent log, I have the other one but I'm having a bear of a time posting to this forum with all these logs and keep the post under 50000 chars. :
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5272

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/9/2010 12:14:45 PM
mbam-log-2010-12-09 (12-14-45).txt

Scan type: Quick scan
Objects scanned: 137432
Time elapsed: 1 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

4. GMER log:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-09 12:22:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3250410AS rev.3.AAF
Running: tlfd432w.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kggorkow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA52A76C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA52A7770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA52A7810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA52A78B0]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB63FC3A0, 0x59FFE5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[384] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF000A
.text C:\WINDOWS\Explorer.EXE[384] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D0000A
.text C:\WINDOWS\Explorer.EXE[384] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CE000C
.text C:\Program Files\Internet Explorer\iexplore.exe[1408] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DD000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1408] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1408] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A3000C
.text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 037D14C7 C:\Documents and Settings\User\Application Data\Sun\fuvvn.dll (2,3,1,0/Sun Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 037D1319 C:\Documents and Settings\User\Application Data\Sun\fuvvn.dll (2,3,1,0/Sun Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5027 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F59 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4FC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4E2A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E508A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1408] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EEE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1408] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E538F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1600] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F1000A
.text C:\WINDOWS\System32\svchost.exe[1600] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F2000A
.text C:\WINDOWS\System32\svchost.exe[1600] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00AD000C
.text C:\WINDOWS\System32\svchost.exe[1600] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01FD000A
.text C:\WINDOWS\System32\svchost.exe[1600] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00FA000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[1408] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A9DB39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A9DB39B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A9DB39B

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3250410AS_____________________________3.AAF___#5&1d2302db&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

5. DDS "Attach.txt":
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-05.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/2/2010 1:27:36 PM
System Uptime: 12/9/2010 12:05:42 PM (0 hours ago)

Motherboard: Dell Inc. | | 0WG860
Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz | Microprocessor | 2394/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 210.029 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP28: 9/10/2010 3:56:14 PM - Installed Windows XP WgaNotify.
RP29: 9/10/2010 9:48:21 PM - Software Distribution Service 3.0
RP30: 9/12/2010 10:56:35 AM - System Checkpoint
RP31: 9/13/2010 11:03:16 AM - System Checkpoint
RP32: 9/15/2010 4:41:54 PM - System Checkpoint
RP33: 9/15/2010 10:35:46 PM - Software Distribution Service 3.0
RP34: 9/17/2010 5:29:56 PM - System Checkpoint
RP35: 9/19/2010 11:26:57 AM - System Checkpoint
RP36: 9/20/2010 11:46:47 AM - System Checkpoint
RP37: 9/21/2010 2:36:40 PM - System Checkpoint
RP38: 9/22/2010 2:42:22 PM - System Checkpoint
RP39: 9/23/2010 9:36:21 AM - Avg Update
RP40: 9/23/2010 9:37:14 AM - Avg Update
RP41: 9/24/2010 3:55:22 PM - System Checkpoint
RP42: 9/25/2010 4:31:28 PM - System Checkpoint
RP43: 9/26/2010 4:47:07 PM - System Checkpoint
RP44: 9/27/2010 5:24:57 PM - System Checkpoint
RP45: 9/28/2010 5:51:39 PM - System Checkpoint
RP46: 9/29/2010 6:06:47 PM - System Checkpoint
RP47: 9/29/2010 9:11:15 PM - Software Distribution Service 3.0
RP48: 10/1/2010 3:48:03 PM - System Checkpoint
RP49: 10/2/2010 4:36:22 PM - System Checkpoint
RP50: 10/3/2010 5:20:29 PM - System Checkpoint
RP51: 10/4/2010 2:00:27 PM - Avg Update
RP52: 10/5/2010 2:21:43 PM - System Checkpoint
RP53: 10/6/2010 3:39:42 PM - System Checkpoint
RP54: 10/6/2010 4:23:15 PM - Installed QuickTime
RP55: 10/7/2010 5:06:31 PM - System Checkpoint
RP56: 10/8/2010 6:00:49 PM - System Checkpoint
RP57: 10/9/2010 6:47:44 PM - System Checkpoint
RP58: 10/10/2010 7:46:39 PM - System Checkpoint
RP59: 10/11/2010 7:46:46 PM - System Checkpoint
RP60: 10/12/2010 8:46:46 PM - System Checkpoint
RP61: 10/14/2010 3:27:01 PM - System Checkpoint
RP62: 10/14/2010 10:02:18 PM - Software Distribution Service 3.0
RP63: 10/16/2010 10:41:36 AM - System Checkpoint
RP64: 10/17/2010 10:42:37 AM - System Checkpoint
RP65: 10/17/2010 7:52:07 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP66: 10/17/2010 7:52:16 PM - Installed AVG 2011
RP67: 10/17/2010 7:53:04 PM - Removed AVG Free 9.0
RP68: 10/17/2010 7:55:59 PM - Installed AVG 2011
RP69: 10/19/2010 3:06:26 PM - System Checkpoint
RP70: 10/20/2010 3:38:37 PM - System Checkpoint
RP71: 10/22/2010 3:59:38 PM - System Checkpoint
RP72: 10/23/2010 4:49:06 PM - System Checkpoint
RP73: 10/24/2010 4:53:43 PM - System Checkpoint
RP74: 10/25/2010 5:21:00 PM - System Checkpoint
RP75: 10/26/2010 6:04:50 PM - System Checkpoint
RP76: 10/27/2010 6:42:03 PM - System Checkpoint
RP77: 10/28/2010 7:49:39 PM - System Checkpoint
RP78: 10/30/2010 12:20:53 PM - System Checkpoint
RP79: 10/31/2010 12:39:25 PM - System Checkpoint
RP80: 11/1/2010 2:23:43 PM - System Checkpoint
RP81: 11/2/2010 2:29:34 PM - System Checkpoint
RP82: 11/3/2010 2:40:44 PM - System Checkpoint
RP83: 11/4/2010 3:03:04 PM - System Checkpoint
RP84: 11/5/2010 4:10:43 PM - System Checkpoint
RP85: 11/6/2010 2:57:35 PM - Removed OpenOffice.org 3.1
RP86: 11/6/2010 2:59:00 PM - Installed OpenOffice.org 3.2
RP87: 11/7/2010 2:55:54 PM - System Checkpoint
RP88: 11/8/2010 3:20:11 PM - System Checkpoint
RP89: 11/9/2010 3:42:11 PM - System Checkpoint
RP90: 11/10/2010 4:28:10 PM - System Checkpoint
RP91: 11/10/2010 8:18:24 PM - Software Distribution Service 3.0
RP92: 11/11/2010 9:06:27 PM - System Checkpoint
RP93: 11/13/2010 9:43:52 AM - System Checkpoint
RP94: 11/14/2010 10:03:21 AM - System Checkpoint
RP95: 11/15/2010 1:07:14 PM - System Checkpoint
RP96: 11/16/2010 1:28:19 PM - System Checkpoint
RP97: 11/17/2010 1:28:59 PM - System Checkpoint
RP98: 11/18/2010 1:46:08 PM - System Checkpoint
RP99: 11/19/2010 2:07:18 PM - System Checkpoint
RP100: 11/20/2010 2:56:33 PM - System Checkpoint
RP101: 11/21/2010 3:56:54 PM - System Checkpoint
RP102: 11/22/2010 4:06:33 PM - System Checkpoint
RP103: 11/23/2010 4:22:33 PM - System Checkpoint
RP104: 11/24/2010 4:50:59 PM - System Checkpoint
RP105: 11/25/2010 5:28:21 PM - System Checkpoint
RP106: 11/26/2010 6:22:51 PM - System Checkpoint
RP107: 11/28/2010 10:18:35 AM - System Checkpoint
RP108: 11/29/2010 12:46:11 PM - System Checkpoint
RP109: 11/30/2010 1:25:09 PM - System Checkpoint
RP110: 12/1/2010 2:35:24 PM - System Checkpoint
RP111: 12/2/2010 3:07:06 PM - System Checkpoint
RP112: 12/4/2010 9:05:43 AM - System Checkpoint
RP113: 12/5/2010 9:48:25 AM - System Checkpoint
RP114: 12/6/2010 2:13:52 PM - System Checkpoint
RP115: 12/6/2010 5:30:38 PM - Restore Operation
RP116: 12/8/2010 12:43:14 PM - System Checkpoint
RP117: 12/8/2010 5:03:30 PM - Removed AVG 2011

==== Installed Programs ======================

32 Bit HP CIO Components Installer
32 bit Windows Card Reader Driver
3600_Help
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.1
Apple Application Support
Apple Software Update
AVG 2011
BPD_Scan
BPDSoftware
BPDSoftware_Ini
BufferChm
Conexant HDA D110 MDC V.92 Modem
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
eSupportQFolder
Fax
Google Earth Plug-in
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 8.0
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Officejet J3600 Series
HP Solution Center 8.0
HP Update
HPProductAssistant
HPSSupply
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
J3600
Java(TM) 6 Update 16
Kung Fu Panda(TM)
Logitech Gaming Software 5.08
Malwarebytes' Anti-Malware
MarketResearch
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.12)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
OpenOffice.org 3.2
ProductContext
QuickTime
Scan
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
SolutionCenter
Status
Super Collapse 3
Super Collapse 3 (remove only)
Toolbox
TrayApp
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Install Manager
Yahoo! Software Update

==== Event Viewer Messages From Past Week ========

12/8/2010 2:14:31 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
12/8/2010 2:07:31 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126ADB-2166-11D1-B1D0-00805FC1270E}
12/8/2010 11:35:58 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
12/7/2010 12:31:18 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
12/7/2010 12:03:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/7/2010 12:03:18 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 Fips intelppm
12/7/2010 12:03:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/7/2010 11:26:21 AM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
12/6/2010 8:40:48 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/6/2010 6:17:14 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================

DDS "DDS.txt"
DDS (Ver_10-12-05.01) - NTFSx86
Run by User at 12:24:44.84 on Thu 12/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1805 [GMT -5:00]

AV: AVG Internet Security 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.broadentechnologies.com/shop
mStart Page = hxxp://www.broadentechnologies.com/shop
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {927E1ED5-CA30-418E-AD03-13B7DA4B46BD} - rundll32.exe "c:\documents and settings\user\application data\sun\fuvvn.dll", UnregisterDll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\783fuha4.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbb8d59&v=6.010.023.001&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Extension: AVG Security Toolbar em:version=6.010.023.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-9 3229728]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-28 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-17 517448]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]

=============== Created Last 30 ================

2010-12-08 18:05:43 -------- d-----w- c:\docume~1\user\locals~1\applic~1\AVG Security Toolbar
2010-12-08 16:04:06 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-12-08 16:04:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-08 16:04:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-08 16:03:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-08 16:03:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-07 17:51:13 388096 ----a-r- c:\docume~1\user\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-07 17:51:13 -------- d-----w- c:\program files\Trend Micro
2010-12-07 17:17:55 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Mozilla
2010-12-07 00:22:12 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-06 22:31:25 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-06 22:31:25 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-26 16:39:04 1063320 ----a-w- c:\documents and settings\user\gotomypc_533.exe

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-14 15:00:33 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-09-14 15:00:33 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-09-14 15:00:28 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3250410AS rev.3.AAF -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A9DB555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a9e17b0]; MOV EAX, [0x8a9e182c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AA3AAB8]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A99C340]
\Driver\atapi[0x8AA62200] -> IRP_MJ_CREATE -> 0x8A9DB555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3250410AS_____________________________3.AAF___#5&1d2302db&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A9DB39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 12:25:51.98 ===============

Hijack this
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:05:53 PM, on 12/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.broadentechnologies.com/shop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.broadentechnologies.com/shop
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Firewall (avgfws) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgfws.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7649 bytes
 
The curious want to know: If you have Norton installed and have been happy with it, how is it that AVG is 'popping up' giving you alerts?
 
Sorry- I just couldn't resist that! Welcome to TechSpot! I'll help you sort through the problem. I am confused though- the logs are full of AVG v2011, but the last restore point is: RP117: 12/8/2010 5:03:30 PM - Removed AVG 2011

  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.
  • A reboot is required after disinfection.
===========================================
Follow with Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
====================================
Please leave logs for both of the above programs in your next reply.

I'm going to have you run Combofix after I see these logs- don't do it yet! The only reason I'll telling you ahead is because of AVG. If it's out, get these programs on the desktop, then run the scans with it out.

If it is still installed, you will need to uninstall it before running Combofix.

We're not ready for HJT yet.

Important!Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
before I begin

I'm about to begin following your instructions.

"For the curious": Norton runs on MY machine at home. I'm at a friend's house right now...
 
where is tds log

While ESET continues to run, where do I find a log from TDSkiller? I did create a quarantine...
 
TDS and ESET logs

2010/12/09 15:06:43.0890 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
2010/12/09 15:06:43.0890 ================================================================================
2010/12/09 15:06:43.0890 SystemInfo:
2010/12/09 15:06:43.0890
2010/12/09 15:06:43.0890 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/09 15:06:43.0890 Product type: Workstation
2010/12/09 15:06:43.0890 ComputerName: USER-543C36A348
2010/12/09 15:06:43.0890 UserName: User
2010/12/09 15:06:43.0890 Windows directory: C:\WINDOWS
2010/12/09 15:06:43.0890 System windows directory: C:\WINDOWS
2010/12/09 15:06:43.0890 Processor architecture: Intel x86
2010/12/09 15:06:43.0890 Number of processors: 2
2010/12/09 15:06:43.0890 Page size: 0x1000
2010/12/09 15:06:43.0890 Boot type: Normal boot
2010/12/09 15:06:43.0890 ================================================================================
2010/12/09 15:06:44.0078 Initialize success
2010/12/09 15:07:08.0281 ================================================================================
2010/12/09 15:07:08.0281 Scan started
2010/12/09 15:07:08.0281 Mode: Manual;
2010/12/09 15:07:08.0281 ================================================================================
2010/12/09 15:07:09.0296 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/09 15:07:09.0328 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/09 15:07:09.0390 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/09 15:07:09.0453 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/09 15:07:09.0578 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/09 15:07:09.0656 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/09 15:07:09.0703 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/09 15:07:09.0750 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/09 15:07:09.0812 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/09 15:07:09.0859 Avgfwdx (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2010/12/09 15:07:09.0875 Avgfwfd (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2010/12/09 15:07:09.0906 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2010/12/09 15:07:09.0921 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2010/12/09 15:07:09.0984 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2010/12/09 15:07:10.0000 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2010/12/09 15:07:10.0015 Avgldx86 (1119e5bec6e749e0d292f0f84d48edba) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2010/12/09 15:07:10.0031 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2010/12/09 15:07:10.0046 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2010/12/09 15:07:10.0078 Avgtdix (354e0fec3bfdfa9c369e0f67ac362f9f) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2010/12/09 15:07:10.0125 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/09 15:07:10.0171 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/09 15:07:10.0203 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/09 15:07:10.0234 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/09 15:07:10.0281 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/09 15:07:10.0390 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/09 15:07:10.0421 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/09 15:07:10.0468 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/09 15:07:10.0484 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/09 15:07:10.0546 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/09 15:07:10.0578 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/09 15:07:10.0625 e1express (6f7ccd3c02b26d530900f06d98171a69) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2010/12/09 15:07:10.0703 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/09 15:07:10.0750 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/12/09 15:07:10.0765 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/09 15:07:10.0781 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/12/09 15:07:10.0796 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/09 15:07:10.0812 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/09 15:07:10.0828 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/09 15:07:10.0843 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/09 15:07:10.0859 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/09 15:07:10.0875 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/09 15:07:10.0937 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/12/09 15:07:10.0968 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/12/09 15:07:11.0000 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/12/09 15:07:11.0046 HSFHWAZL (4de608a118365fd2671ece7a0f99f55b) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2010/12/09 15:07:11.0093 HSF_DPV (f6511b1525b689218c1428feb7ab48d0) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2010/12/09 15:07:11.0140 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/09 15:07:11.0218 ialm (6fcb904910da07c9dc2593d66438fa29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/12/09 15:07:11.0296 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/09 15:07:11.0359 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/09 15:07:11.0406 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/09 15:07:11.0468 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/09 15:07:11.0515 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/09 15:07:11.0562 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/09 15:07:11.0593 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/09 15:07:11.0640 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/09 15:07:11.0687 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/09 15:07:11.0718 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/09 15:07:11.0734 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/09 15:07:11.0750 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/09 15:07:11.0796 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/09 15:07:11.0859 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/12/09 15:07:11.0890 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/09 15:07:12.0062 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/09 15:07:12.0156 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/09 15:07:12.0203 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/09 15:07:12.0218 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/09 15:07:12.0234 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/09 15:07:12.0281 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/09 15:07:12.0296 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/09 15:07:12.0328 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/09 15:07:12.0343 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/09 15:07:12.0359 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/09 15:07:12.0390 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/09 15:07:12.0406 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/09 15:07:12.0437 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/09 15:07:12.0453 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/09 15:07:12.0468 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/09 15:07:12.0484 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/09 15:07:12.0500 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/09 15:07:12.0500 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/09 15:07:12.0562 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/09 15:07:12.0593 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/09 15:07:12.0609 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/09 15:07:12.0625 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/09 15:07:12.0687 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2010/12/09 15:07:12.0703 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/09 15:07:12.0937 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/09 15:07:13.0093 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/09 15:07:13.0109 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/09 15:07:13.0156 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/09 15:07:13.0171 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/12/09 15:07:13.0203 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/09 15:07:13.0234 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/09 15:07:13.0234 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/09 15:07:13.0328 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/09 15:07:13.0359 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/09 15:07:13.0468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/09 15:07:13.0484 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/09 15:07:13.0500 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/09 15:07:13.0609 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/09 15:07:13.0625 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/09 15:07:13.0640 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/09 15:07:13.0656 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/09 15:07:13.0671 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/09 15:07:13.0687 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/09 15:07:13.0703 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/09 15:07:13.0734 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/09 15:07:13.0781 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/09 15:07:13.0828 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/09 15:07:13.0859 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/12/09 15:07:13.0875 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/09 15:07:13.0921 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/09 15:07:13.0953 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/09 15:07:13.0984 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/09 15:07:14.0046 STHDA (797fcc1d859b203958e915bb82528da9) C:\WINDOWS\system32\drivers\sthda.sys
2010/12/09 15:07:14.0078 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/09 15:07:14.0093 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/09 15:07:14.0187 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/09 15:07:14.0250 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/09 15:07:14.0281 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/09 15:07:14.0312 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/09 15:07:14.0328 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/09 15:07:14.0390 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/09 15:07:14.0421 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/09 15:07:14.0468 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/09 15:07:14.0484 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/09 15:07:14.0500 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/09 15:07:14.0515 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/09 15:07:14.0531 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/09 15:07:14.0546 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/09 15:07:14.0578 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/09 15:07:14.0609 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/09 15:07:14.0625 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/09 15:07:14.0671 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/09 15:07:14.0734 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/12/09 15:07:14.0765 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/09 15:07:14.0828 winachsf (ea643e1f001ffd58ef9f28277dc4a1ea) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/12/09 15:07:14.0890 WmBEnum (84a90f13eebf4380345ef9474d30f10e) C:\WINDOWS\system32\drivers\WmBEnum.sys
2010/12/09 15:07:14.0921 WmFilter (eb0034ac02a44dc784a3174d2b81e764) C:\WINDOWS\system32\drivers\WmFilter.sys
2010/12/09 15:07:14.0968 WmVirHid (72c4f5a748c74d8d4016ccfa7367210f) C:\WINDOWS\system32\drivers\WmVirHid.sys
2010/12/09 15:07:14.0984 WmXlCore (eacdcced934a185e61ce0684f71c2dec) C:\WINDOWS\system32\drivers\WmXlCore.sys
2010/12/09 15:07:15.0015 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/09 15:07:15.0046 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/09 15:07:15.0093 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/09 15:07:15.0093 ================================================================================
2010/12/09 15:07:15.0093 Scan finished
2010/12/09 15:07:15.0093 ================================================================================
2010/12/09 15:07:15.0093 Detected object count: 1
2010/12/09 15:07:46.0515 \HardDisk0 - copied to quarantine
2010/12/09 15:07:46.0546 \HardDisk0\TDLFS\cfg.ini - copied to quarantine
2010/12/09 15:07:46.0609 \HardDisk0\TDLFS\mbr - copied to quarantine
2010/12/09 15:07:46.0609 \HardDisk0\TDLFS\bckfg.tmp - copied to quarantine
2010/12/09 15:07:46.0609 \HardDisk0\TDLFS\cmd.dll - copied to quarantine
2010/12/09 15:07:46.0609 \HardDisk0\TDLFS\ldr16 - copied to quarantine
2010/12/09 15:07:46.0609 \HardDisk0\TDLFS\ldr32 - copied to quarantine
2010/12/09 15:07:46.0625 \HardDisk0\TDLFS\ldr64 - copied to quarantine
2010/12/09 15:07:46.0625 \HardDisk0\TDLFS\drv64 - copied to quarantine
2010/12/09 15:07:46.0625 \HardDisk0\TDLFS\cmd64.dll - copied to quarantine
2010/12/09 15:07:46.0640 \HardDisk0\TDLFS\drv32 - copied to quarantine
2010/12/09 15:07:46.0640 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Quarantine
2010/12/09 15:08:42.0171 Deinitialize success




ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=65417d7a1ba8ce4283d761c0ed1c2e63
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-09 08:46:20
# local_time=2010-12-09 03:46:20 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1032 16777173 100 98 0 49500476 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=36444
# found=6
# cleaned=0
# scan_time=759
C:\TDSSKiller_Quarantine\09.12.2010_15.06.43\boot0000\tdlfs0000\tsk0003.dta Win32/Olmarik.ADZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\09.12.2010_15.06.43\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\09.12.2010_15.06.43\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.G trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\09.12.2010_15.06.43\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.G trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\09.12.2010_15.06.43\boot0000\tdlfs0000\tsk0008.dta Win64/Olmarik.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\09.12.2010_15.06.43\boot0000\tdlfs0000\tsk0009.dta a variant of Win32/Olmarik.AIZ trojan (unable to clean) 00000000000000000000000000000000 I
 
Bobbye - I'm having trouble removing AVG. Gotta stop for today and will attack again tomorrow. Maybe after a reboot it will finish.
 
Can't remove AVG. I have encountered a half-dozen errors, including services that couldn't be stopped. I went to admin tools, services and set the services to manual. reboot, try again. get more errors removing AVG. This program is itself a VIRUS! You can't disable it permanently and you can't remove it. (scream loudly here)

How do i get rid of this POS??
 
Yes, AVG has been making it difficult for all who have it:Once Combofix is on he desktop, do this:

To Disable/Uninstall AVG:
Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  • Click on Start> Run> type in services.msc> double click on each AVG Service> Change Startup type to Disabled> Stop the Services
  • Look in Tray and right click the icon(s). On the menu - select Check also Task Manager to see that it's not tricking you. Ctrl+Alt+Delete should open that one so that you can go over the relevant tabs.
  • You can shut things down from there by clicking on the processes so that they get blue. Then right click to get a small popup menu that allows you to terminate.

If necessary:
To disable the LinkScanner,
  • Open AVG User Interface.
  • Double-click on the LinkScanner.
  • Un-tick the option Enable AVG Search-Shield and Enable Active Surf-Shield.
  • Save the changes.
Please do not forget to activate the LinkScanner again once you performed the tasks requiring its deactivation.

To disable the Personal E-mail Scanner (if it is installed)
  • Open AVG User Interface.
  • In menu Tools select Advanced settings.
  • Go to E-mail Scanner - Servers - POP3, and click on the POP3 server (usually AutoPOP3:10110).
  • Un-tick the option Activate this server and use it for receiving e-mails.
  • Repeat the same for SMTP server.
Please enable the servers that were enabled originally again when possible.
 
When I go to the services tab, I cannot stop the services. However, by setting them to disabled, when I reboot, they are not active. I still get either get an error when uninstalling, or the machine hangs part way through. Right now, there are no icons in the main AVG application, as they have apparently been 'uninstalled', however the AVG icon is still in the windows tray and still comes up when I click it.

If I go to add/remove programs, select AVG and click remove, it says there is nothing to remove.

if I use the install program and select 'uninstall' it says there is a 'previously suspended' install that must be undone first, and then it crashes.

right now I am running the install and trying to 'repair', then I'll go back through disabling the services and try to uninstall one more time.

I have no confidence that this will work, as I've done it once already with no luck. Can I just delete all the program files and run some sort of registry cleaner? Is AVG itself considered malware? I haven't been this frustrated since Windows '98...
 
again it says that a file is locked for exclusive access by another program, close all other programs and retry. There are no other programs running.
 
AVG is gone. forever. Now where were we? Combofix is on my desktop, and I've developed an itchy trigger finger!
 
ComboFix 10-12-09.04 - User 12/11/2010 10:09:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2234 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Local Settings\Application Data\syssvc.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
.

2010-12-09 20:22 . 2010-12-09 20:22 -------- d-----w- c:\program files\ESET
2010-12-09 20:07 . 2010-12-09 20:07 -------- d-----w- C:\TDSSKiller_Quarantine
2010-12-09 20:06 . 2010-12-09 21:37 -------- d-----w- C:\tony
2010-12-08 18:05 . 2010-12-08 18:05 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\AVG Security Toolbar
2010-12-08 17:45 . 2010-12-08 17:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-12-08 16:04 . 2010-12-08 16:04 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-12-08 16:04 . 2010-12-08 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-08 16:04 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-08 16:03 . 2010-12-08 21:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-08 16:03 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-07 17:51 . 2010-12-07 17:51 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-07 17:51 . 2010-12-07 17:51 -------- d-----w- c:\program files\Trend Micro
2010-12-07 17:17 . 2010-12-07 17:17 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Mozilla
2010-12-07 17:02 . 2010-12-07 17:03 -------- d-----w- c:\documents and settings\Administrator
2010-12-07 00:22 . 2010-12-07 00:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo
2010-12-07 00:22 . 2010-12-07 00:22 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-12-07 00:22 . 2010-12-07 00:22 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-06 22:31 . 2010-12-06 22:31 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-06 22:20 . 2010-12-06 22:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-12-06 22:02 . 2010-12-06 22:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-26 16:39 . 2010-11-26 16:39 1063320 ----a-w- c:\documents and settings\User\gotomypc_533.exe
2010-11-26 16:38 . 2010-11-26 16:38 -------- d-----w- c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-06 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-06 94208]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-09-17 153608]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-06-02 18:28 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/28/2010 1:38 PM 136176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-12-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-28 18:38]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-28 18:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.broadentechnologies.com/shop
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\783fuha4.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbb8d59&v=6.010.023.001&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

ActiveSetup-{927E1ED5-CA30-418E-AD03-13B7DA4B46BD} - h.txtDDS DDS.txtThanks for looking at this for me1TonySteps 1-6 of the 8 Step program for virus addictionIm wIm following the 8 step program...



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-11 10:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3250410AS rev.3.AAF -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A9D3555]<<
c:\docume~1\User\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a9d97b0]; MOV EAX, [0x8a9d982c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A9E5AB8]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AA28A70]
\Driver\atapi[0x8AA35F38] -> IRP_MJ_CREATE -> 0x8A9D3555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3250410AS_____________________________3.AAF___#5&1d2302db&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A9D339B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(760)
c:\windows\system32\WININET.dll
.
Completion time: 2010-12-11 10:17:29
ComboFix-quarantined-files.txt 2010-12-11 15:17

Pre-Run: 227,865,763,840 bytes free
Post-Run: 228,038,381,568 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - B6CFD69F490F47B68F7972BBD4B3A49A
 
Every time you make a new post, I get email notice. So right now, I'm dealing with 5 emails because you didn't use the Edit feature..This is the weekend, today in particular, Sunday. Allow me to have some time with my family and then I'll review the logs.

Perhaps you weren't aware that we are all volunteer helpers here. Occasionally I try to remind myself that I do have another life. Sometimes, that means that the person with the malware problem must wait another day.

But since you still have a rootkit, please run this while I eat lunch:

Please download MBR Rootkit Detector and save it on your desktop.
  • Pause/Stop all antivirus/spyware active protection.
  • Then double click on mbr.exe to run it.
  • Select Run when you receive a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe
  • Copy and paste the contents of mbr.log on your next reply.
============================
 
My sincerest apologies. I do understand the nature of your volunteer participation. I too was voluntarily trying to help a disabled/homebound neighbor. I made honest attempts to follow the guidelines of the forum, and did not see references to refraining from weekend use of the forum. I'm relatively sure that my PM to you prompted this response, and again, for that, I apologize. I was sincerely looking to join the fray (become a productive contributor), and should have refrained from referencing this thread in that message. I am sincere in this. You have knowledge and experience that is sorely needed by so many, and I am glad you volunteer your time. I feel worse than you know that I offended you this way. I did peek at your profile several times, and to my detriment, I saw that you do indeed go above and beyond helping others, even on the weekend. When I saw you posting to several other threads, some brand new, I assumed it was ok to interact, since you were online. Maybe TS should give you guys a stealh mode! I guess I was spying, so I was wrong in that regard. I shouldn't have tried to 'bump' my issue. (Now, my better judgment says I should shut up here, but I just can't! My judgment has already proven to be lacking. I need to seek psych help too :)

I would like to respectfully suggest another "sticky" at the top of the forum to newbies like me, to help them participate appropriately and to alleviate the frustration of the volunteers who bring the real value to the site:
1. please refrain from using the forum on weekends and allow the contributors some downtime.
2. realize that each reply generates an email to thread 'subscribers', of which you (as the thread initiator) and your volunteer contributor will receive emails from. If you are actively working and feel compelled to send an update (you made a mistake or have a new revelation), try using the 'edit' feature to update a prior post to your thread, so as not to inundate the volunteer with multiple emails about your posts.
3. Each contributor has there own method for managing the workload they take on voluntarily, and they help multiple members at a time. don't try to bump your thread to top thinking it will go to the top of their 'inbox', just let them do their thing. They'll get to you.

I actually had no idea about the automated email responses, since I began the thread from the infected computer and was unable to retrieve my emails from that computer. I had to run home once or twice in the registration process, but was trying to fix her computer 'in situ', which precluded me from viewing my mail via webmail on her computer.

please understand that I came to techspot and this forum as a total newbie, and this was my only experience. I tried to read and follow the instructions provided before I even began my help request, because I do respect the value of your time, and the free services provided here. I had to learn the functions of the threads, and apparently learned the hard way. I had no intention of hitting a gong next to your head with lots of email. I sincerely had no intention of ruining your weekend with my progress posts.

I am tucking my tail and telling my neighbor that she'll need to seek help elsewhere (elsewhere from me, anyway) as I am out of my comfort zone now. I did utilize some of the tools referenced on this forum and others to try to remove the tds4 rootkit. I have no idea if it's really gone - I read enough to know that I don't know what I really need to know (you know that saying, you don't know how much you don't know until...) Anyway her stated purpose for buying the computer was for her grandchild to play educational games (i do see evidence of that) and it'll be fine for that. although I know that she also used it for banking and Rx renewals, which I think is why I got so zealous about it. I will inform her that she shouldn't us it for such sensitive transactions, as I don't have the experience to ensure the security of those activities with the computer in this 'working but unverified state'. I believe she has other options available to her, and letting her grandkid play 'kung-fu panda' on it shouldn't present a serious risk.

I know that I can I get a bit of tunnel vision when a problem like this presents itself, and i didn't mean to make my problem yours.

Thanks for your help, you may close this thread.
 
Status
Not open for further replies.

Similar threads

A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
S
  • Locked
Inactive Am I infected?
Replies
8
Views
3K
Broni
Broni

Latest posts

Back