TechSpot

Google redirect virus?

By lozzapara
Dec 2, 2010
  1. I'm wondering if anyone can help. Lately when using Google it has been redirecting to other sites and opening web pages that i have not searched for. I have followed the 8 steps to virus and malware removal and the logs are attached below:

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5233

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    02/12/2010 17:13:38
    mbam-log-2010-12-02 (17-13-38).txt

    Scan type: Quick scan
    Objects scanned: 129036
    Time elapsed: 4 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-02 17:17:59
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_MP0402H rev.YQ200-05
    Running: kb0p733g.exe; Driver: C:\DOCUME~1\LAURA\LOCALS~1\Temp\uwncrfog.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sectors 78242720 (+255): rootkit-like behavior;

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82F2A292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 82F2A292

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskSAMSUNG_MP0402H_________________________YQ200-05#30535733334a4c30353235373038202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----

    DDS (Ver_10-11-27.01) - NTFSx86
    Run by LAURA at 17:22:42.79 on 02/12/2010
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.758.379 [GMT 0:00]

    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Atheros\ACU.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\iTunesHelper.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\Documents and Settings\LAURA\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = *.local
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [DriverUpdaterPro] c:\program files\ixi tools\driver updater pro\DriverUpdaterPro.exe -t
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\iTunesHelper.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\laura\startm~1\programs\startup\BBCIPL~1.LNK -
    StartupFolder: c:\docume~1\laura\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    Trusted Zone: neashomeaccess.co.uk\www
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\laura\applic~1\mozilla\firefox\profiles\uz25bahy.default\
    FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=uk&.partner=bt-1&.done=http%3a//bt.yahoo.com/%3f
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: c:\documents and settings\laura\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\mozilla plugins\npitunes.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

    ============= SERVICES / DRIVERS ===============

    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-8-21 40464]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-21 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-21 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-21 243024]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-6 308136]
    S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
    S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]

    =============== Created Last 30 ================

    2010-11-30 12:28:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-30 12:28:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-30 12:28:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-25 17:08:26 15256 ----a-w- c:\docume~1\laura\applic~1\microsoft\identitycrl\production\ppcrlconfig.dll
    2010-11-19 12:30:06 -------- d-----w- c:\windows\system32\appmgmt
    2010-11-16 14:36:08 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2010-11-16 14:36:08 -------- d-----w- c:\windows\system32\wbem\Repository

    ==================== Find3M ====================

    2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2009-09-18 11:01:50 18863384 ----a-w- c:\program files\LimeWireWin.exe

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: SAMSUNG_MP0402H rev.YQ200-05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F2A446]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82f30504]; MOV EAX, [0x82f30580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EDE00] -> \Device\Harddisk0\DR0[0x82F6BAB8]
    3 CLASSPNP[0xF757D05B] -> ntkrnlpa!IofCallDriver[0x804EDE00] -> \Device\00000070[0x82F839E8]
    5 ACPI[0xF7413620] -> ntkrnlpa!IofCallDriver[0x804EDE00] -> [0x82F39940]
    \Driver\atapi[0x82F6B1D0] -> IRP_MJ_CREATE -> 0x82F2A446
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskSAMSUNG_MP0402H_________________________YQ200-05#30535733334a4c30353235373038202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x82F2A292
    user != kernel MBR !!!
    sectors 78242974 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

    ============= FINISH: 17:23:35.67 ===============

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-27.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 06/07/2010 16:31:46
    System Uptime: 12/02/2010 17:02:29 (7032 hours ago)

    Motherboard: Acer | | Garda-910
    Processor: Intel(R) Celeron(R) M processor 1.50GHz | U1 | 1496/100mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 16 GiB total, 10.81 GiB free.
    D: is FIXED (FAT32) - 18 GiB total, 11.656 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Broadcom 802.11g Network Adapter
    Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_03121468&REV_02\4&AD1B67F&0&28F0
    Manufacturer: Broadcom
    Name: Broadcom 802.11g Network Adapter
    PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_03121468&REV_02\4&AD1B67F&0&28F0
    Service: BCM43XX

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Adobe AIR
    Adobe Flash Player 10 Plugin
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Atheros Client Installation Program
    AVG 2011
    AVG Free 9.0
    BBC iPlayer Desktop
    Bonjour
    CTA Law and Ethics
    DeepBurner v1.9.0.228
    Facebook Plug-In
    Foxit Reader
    i-assess runtime utilities Version 3
    Intel(R) Graphics Media Accelerator Driver for Mobile
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 14
    Java(TM) 6 Update 20
    LimeWire 5.5.7
    Malwarebytes' Anti-Malware
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office 2000 Premium
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.12)
    MSVCRT
    Paragon Drive Backup™ 9.0 Express
    QuickTime
    Realtek AC'97 Audio
    Security Update for Windows XP (KB923789)
    Segoe UI
    SoftV90 Data Fax Modem with SmartCP
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.3
    WebFldrs XP
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Upload Tool

    ==== Event Viewer Messages From Past Week ========

    30/11/2010 11:58:16, error: Service Control Manager [7001] - The AVG8 E-mail Scanner service depends on the AVG8 WatchDog service which failed to start because of the following error: The system cannot find the path specified.
    30/11/2010 11:58:16, error: Service Control Manager [7000] - The AVG8 WatchDog service failed to start due to the following error: The system cannot find the path specified.
    29/11/2010 13:23:37, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    26/11/2010 17:20:21, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    02/12/2010 17:00:17, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    02/12/2010 17:00:16, error: Service Control Manager [7034] - The Atheros Configuration Service service terminated unexpectedly. It has done this 1 time(s).
    02/12/2010 17:00:16, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, you have a Rootkit malware infection. Please start with this program:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    =========================================
    Please follow with Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    I''ll check the current logs while you're running the other programs.
     
  3. lozzapara

    lozzapara TS Rookie Topic Starter

    Thanks for your quick response. I ran both programmes and here is the log for the ESET scan:

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=05a6e1e89323a841bc0727685c2de5ca
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-02 08:57:00
    # local_time=2010-12-02 08:57:00 (+0000, GMT Standard Time)
    # country="United Kingdom"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 11843471 11843471 0 0
    # compatibility_mode=1797 16775141 100 93 4193 27851353 2478 0
    # compatibility_mode=8192 67108863 100 0 3903 3903 0 0
    # scanned=38747
    # found=0
    # cleaned=0
    # scan_time=1416
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good. the Eset scan is clean. Please give me the TDSSKiller log.

    You have 2 versions of AVG running: AVG Free 9.0 & AVG 2011 You should remove the older version. And you will need to temporarily uninstall the version you're keeping in order to run this program:
    Here is a tool to help: AVG Removal: Note: You may have to reinstall AVG to uninstall it fully.

    It's best to save the Tool to your desktop, then go into Safe Mode to run it.

    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please take LimeWire off of Startup. Then either uninstall it (recommended) or disable it while I'm helping you.

    P2P or 'file sharing' Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall LimeWire for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    Please remove these outdated versions of Java: Java(TM) 6 Update 14 & Java(TM) 6 Update 20 in Add/Remove Programs.
    Update to current v6u22: Java Updates
     
  6. lozzapara

    lozzapara TS Rookie Topic Starter

    i've been having problems uninstalling AVG 9 but it seems to have worked with the removal tool, thanks. I've also uninstalled limewire as i never use it anyway and the outdated java. Here's the combofix and the TDSSkiller log:

    ComboFix 10-12-02.01 - LAURA 02/12/2010 23:08:13.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.758.546 [GMT 0:00]
    Running from: c:\documents and settings\LAURA\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\LAURA\Application Data\completescan
    c:\documents and settings\LAURA\Application Data\install
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job

    .
    ((((((((((((((((((((((((( Files Created from 2010-11-02 to 2010-12-02 )))))))))))))))))))))))))))))))
    .

    2010-12-02 22:01 . 2010-12-02 22:01 -------- d-----w- c:\documents and settings\LAURA\Application Data\AVG10
    2010-12-02 21:58 . 2010-12-02 21:58 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2010-12-02 21:56 . 2010-12-02 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2010-12-02 21:50 . 2010-12-02 21:50 4502408 ----a-w- c:\program files\avg_free_stb_all_2011_1170_cnet.exe
    2010-12-02 21:29 . 2010-12-02 21:42 -------- d-----w- c:\program files\VS Revo Group
    2010-11-30 12:28 . 2010-12-02 21:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-29 20:15 . 2010-11-29 20:15 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2010-11-26 20:46 . 2010-11-26 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
    2010-11-16 14:36 . 2010-11-16 14:36 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-11-16 14:29 . 2010-11-16 14:31 -------- d-s---w- c:\documents and settings\Administrator

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-24 01:10 . 2010-09-24 01:10 573736 ----a-w- c:\program files\iTunesPhotoProcessor.exe
    2010-09-24 01:10 . 2010-09-24 01:10 294688 ----a-w- c:\program files\iTunesOutlookAddIn.dll
    2010-09-24 01:10 . 2010-09-24 01:10 124200 ----a-w- c:\program files\iTunesMiniPlayer.dll
    2010-09-24 01:10 . 2010-09-24 01:10 421160 ----a-w- c:\program files\iTunesHelper.exe
    2010-09-24 01:10 . 2010-09-24 01:10 387368 ----a-w- c:\program files\iTunesAdmin.dll
    2010-09-24 01:10 . 2010-09-24 01:10 173344 ----a-w- c:\program files\iTunesHelper.dll
    2010-09-24 01:10 . 2010-09-24 01:10 9777448 ----a-w- c:\program files\iTunes.exe
    2010-09-24 01:10 . 2010-09-24 01:10 726304 ----a-w- c:\program files\gnsdk_sdkmanager.dll
    2010-09-24 01:10 . 2010-09-24 01:10 648992 ----a-w- c:\program files\iPodUpdaterExt.dll
    2010-09-24 01:10 . 2010-09-24 01:10 259360 ----a-w- c:\program files\gnsdk_submit.dll
    2010-09-24 01:10 . 2010-09-24 01:10 197920 ----a-w- c:\program files\gnsdk_musicid.dll
    2010-09-24 01:10 . 2010-09-24 01:10 18710816 ----a-w- c:\program files\iTunes.dll
    2010-09-24 01:10 . 2010-09-24 01:10 111912 ----a-w- c:\program files\ITDetector.ocx
    2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2009-09-18 11:01 . 2009-09-18 11:01 18863384 ----a-w- c:\program files\LimeWireWin.exe
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-07-21_09.53.35 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-11 23:02 . 2009-07-11 23:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
    + 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
    + 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
    + 2010-12-02 23:03 . 2010-12-02 23:03 16384 c:\windows\Temp\Perflib_Perfdata_5bc.dat
    - 2001-08-23 14:00 . 2010-07-21 09:45 40394 c:\windows\system32\perfc009.dat
    + 2001-08-23 14:00 . 2010-11-26 18:34 40394 c:\windows\system32\perfc009.dat
    + 2010-10-04 15:45 . 2010-04-19 19:47 41984 c:\windows\system32\DRVSTORE\usbaapl_5BE1FFC476B2D9925B428CF102B47444B9A16508\usbaapl.sys
    + 2009-08-22 11:38 . 2010-04-19 19:47 41984 c:\windows\system32\drivers\usbaapl.sys
    + 2010-07-27 17:44 . 2010-07-27 17:44 91424 c:\windows\system32\dnssd.dll
    - 2010-05-18 15:35 . 2010-05-18 15:35 91424 c:\windows\system32\dnssd.dll
    - 2009-08-21 14:11 . 2010-07-06 15:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2009-08-21 14:11 . 2010-11-24 11:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2009-08-21 14:11 . 2010-11-24 11:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2009-08-21 14:11 . 2010-07-06 15:33 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2010-08-10 21:34 . 2010-08-10 21:34 21504 c:\windows\Installer\27d6d22.msi
    + 2010-08-10 21:34 . 2010-08-10 21:34 28160 c:\windows\Installer\27d6d1c.msi
    + 2009-07-11 23:02 . 2009-07-11 23:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
    + 2009-07-11 23:05 . 2009-07-11 23:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
    + 2010-03-26 10:56 . 2010-11-16 14:37 274928 c:\windows\system32\Restore\rstrlog.dat
    + 2001-08-23 14:00 . 2010-11-26 18:34 312172 c:\windows\system32\perfh009.dat
    - 2001-08-23 14:00 . 2010-07-21 09:45 312172 c:\windows\system32\perfh009.dat
    + 2010-11-17 09:57 . 2010-11-17 09:57 233936 c:\windows\system32\Macromed\Flash\FlashUtil10l_Plugin.exe
    - 2010-04-18 10:32 . 2010-04-12 16:29 153376 c:\windows\system32\javaws.exe
    + 2010-10-04 09:58 . 2010-04-12 16:29 153376 c:\windows\system32\javaws.exe
    + 2010-10-04 09:58 . 2010-04-12 16:29 145184 c:\windows\system32\javaw.exe
    - 2010-04-18 10:32 . 2010-04-12 16:29 145184 c:\windows\system32\javaw.exe
    + 2010-10-04 09:58 . 2010-04-12 16:29 145184 c:\windows\system32\java.exe
    - 2010-04-18 10:32 . 2010-04-12 16:29 145184 c:\windows\system32\java.exe
    + 2010-07-27 17:44 . 2010-07-27 17:44 107808 c:\windows\system32\dns-sd.exe
    - 2010-05-18 15:35 . 2010-05-18 15:35 107808 c:\windows\system32\dns-sd.exe
    + 2010-10-28 10:14 . 2010-10-28 10:14 219648 c:\windows\Installer\92b074e.msi
    + 2010-10-04 09:58 . 2010-10-04 09:58 537088 c:\windows\Installer\3a34d.msi
    + 2010-10-04 15:44 . 2010-10-04 15:44 807936 c:\windows\Installer\13edc7e.msi
    + 2010-10-04 15:52 . 2010-10-04 15:52 380928 c:\windows\Installer\{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}\iTunesIco.exe
    + 2009-07-11 23:02 . 2009-07-11 23:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
    + 2009-08-22 11:38 . 2010-04-19 19:47 3062048 c:\windows\system32\usbaaplrc.dll
    + 2009-07-18 03:21 . 2010-11-17 09:57 5971408 c:\windows\system32\Macromed\Flash\NPSWF32.dll
    + 2010-10-04 15:45 . 2010-04-19 19:47 3062048 c:\windows\system32\DRVSTORE\usbaapl_5BE1FFC476B2D9925B428CF102B47444B9A16508\usbaaplrc.dll
    + 2010-12-02 21:58 . 2010-12-02 21:58 3065856 c:\windows\Installer\2b2e2.msi
    + 2010-12-02 21:56 . 2010-12-02 21:56 1548288 c:\windows\Installer\2b2de.msi
    + 2010-10-04 15:52 . 2010-10-04 15:52 6333440 c:\windows\Installer\13ee7a9.msi
    + 2010-10-04 15:47 . 2010-10-04 15:47 9472000 c:\windows\Installer\13ee018.msi
    + 2010-10-04 15:45 . 2010-10-04 15:45 3084800 c:\windows\Installer\13edd2e.msi
    + 2010-10-04 15:45 . 2010-10-04 15:45 1984000 c:\windows\Installer\13edca7.msi
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DriverUpdaterPro"="c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe" [BU]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ACU"="c:\program files\Atheros\ACU.exe" [2005-01-31 253952]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-24 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-24 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-24 114688]
    "SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunesHelper.exe" [2010-09-24 421160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes.exe"=

    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [21/08/2009 16:31 40464]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2010-12-02 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2010-03-26 22:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    Trusted Zone: neashomeaccess.co.uk\www
    FF - ProfilePath - c:\documents and settings\LAURA\Application Data\Mozilla\Firefox\Profiles\uz25bahy.default\
    FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=uk&.partner=bt-1&.done=http%3a//bt.yahoo.com/%3f
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: c:\documents and settings\LAURA\Application Data\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\Mozilla Plugins\npitunes.dll
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    Notify-avgrsstarter - avgrsstx.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-02 23:11
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-12-02 23:13:39
    ComboFix-quarantined-files.txt 2010-12-02 23:13

    Pre-Run: 11,229,405,184 bytes free
    Post-Run: 11,392,487,424 bytes free

    - - End Of File - - 8535CDECACC7080F17287171AAAE7627

    2010/12/02 20:20:45.0281 TDSS rootkit removing tool 2.4.10.1 Dec 2 2010 12:28:01
    2010/12/02 20:20:45.0281 ================================================================================
    2010/12/02 20:20:45.0281 SystemInfo:
    2010/12/02 20:20:45.0281
    2010/12/02 20:20:45.0281 OS Version: 5.1.2600 ServicePack: 2.0
    2010/12/02 20:20:45.0281 Product type: Workstation
    2010/12/02 20:20:45.0281 ComputerName: LAURA-A46C1CB7E
    2010/12/02 20:20:45.0281 UserName: LAURA
    2010/12/02 20:20:45.0281 Windows directory: C:\WINDOWS
    2010/12/02 20:20:45.0281 System windows directory: C:\WINDOWS
    2010/12/02 20:20:45.0281 Processor architecture: Intel x86
    2010/12/02 20:20:45.0281 Number of processors: 1
    2010/12/02 20:20:45.0281 Page size: 0x1000
    2010/12/02 20:20:45.0281 Boot type: Normal boot
    2010/12/02 20:20:45.0281 ================================================================================
    2010/12/02 20:20:45.0609 Initialize success
    2010/12/02 20:20:55.0812 ================================================================================
    2010/12/02 20:20:55.0812 Scan started
    2010/12/02 20:20:55.0812 Mode: Manual;
    2010/12/02 20:20:55.0812 ================================================================================
    2010/12/02 20:20:57.0125 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/12/02 20:20:57.0250 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2010/12/02 20:20:57.0421 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
    2010/12/02 20:20:57.0562 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
    2010/12/02 20:20:57.0671 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
    2010/12/02 20:20:58.0015 ALCXWDM (95aa37bec6c72c277c2caeaee736dd2d) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
    2010/12/02 20:20:58.0437 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/12/02 20:20:58.0531 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/12/02 20:20:58.0578 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/12/02 20:20:58.0687 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/12/02 20:20:58.0968 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    2010/12/02 20:20:59.0093 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
    2010/12/02 20:20:59.0234 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys
    2010/12/02 20:20:59.0421 BCM43XX (38ca1443660d0f5f06887c6a2e692aeb) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
    2010/12/02 20:20:59.0562 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/12/02 20:20:59.0781 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/12/02 20:20:59.0890 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/12/02 20:20:59.0968 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/12/02 20:21:00.0046 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/12/02 20:21:00.0156 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2010/12/02 20:21:00.0250 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2010/12/02 20:21:00.0437 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/12/02 20:21:00.0562 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/12/02 20:21:00.0718 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
    2010/12/02 20:21:00.0781 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/12/02 20:21:00.0875 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/12/02 20:21:00.0984 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/12/02 20:21:01.0109 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/12/02 20:21:01.0218 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
    2010/12/02 20:21:01.0312 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2010/12/02 20:21:01.0421 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2010/12/02 20:21:01.0500 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/12/02 20:21:01.0562 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/12/02 20:21:01.0640 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/12/02 20:21:01.0718 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2010/12/02 20:21:01.0781 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/12/02 20:21:01.0875 hotcore3 (3eca343d21e8639ce448c0af4e119d17) C:\WINDOWS\system32\DRIVERS\hotcore3.sys
    2010/12/02 20:21:01.0984 HSFHWICH (a4877a17e87d6e6ab959b36b9ef3de8a) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
    2010/12/02 20:21:02.0093 HSF_DP (dfa8f86c0dbca7db948043aa3be6793b) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
    2010/12/02 20:21:02.0281 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/12/02 20:21:02.0421 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/12/02 20:21:02.0562 ialm (afa7c99d211a2aff21a287bc4264cde6) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2010/12/02 20:21:02.0687 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/12/02 20:21:02.0812 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2010/12/02 20:21:02.0875 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/12/02 20:21:02.0968 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/12/02 20:21:03.0031 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/12/02 20:21:03.0109 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/12/02 20:21:03.0171 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/12/02 20:21:03.0281 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/12/02 20:21:03.0343 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/12/02 20:21:03.0453 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/12/02 20:21:03.0546 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/12/02 20:21:03.0640 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/12/02 20:21:03.0671 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/12/02 20:21:03.0781 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2010/12/02 20:21:03.0890 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/12/02 20:21:03.0968 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2010/12/02 20:21:04.0015 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/12/02 20:21:04.0078 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/12/02 20:21:04.0171 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/12/02 20:21:04.0265 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/12/02 20:21:04.0421 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/12/02 20:21:04.0546 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/12/02 20:21:04.0625 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/12/02 20:21:04.0703 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/12/02 20:21:04.0796 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/12/02 20:21:04.0843 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/12/02 20:21:04.0937 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/12/02 20:21:05.0015 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/12/02 20:21:05.0109 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/12/02 20:21:05.0187 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/12/02 20:21:05.0250 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/12/02 20:21:05.0312 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/12/02 20:21:05.0359 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/12/02 20:21:05.0484 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/12/02 20:21:05.0593 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/12/02 20:21:05.0718 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/12/02 20:21:05.0796 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/12/02 20:21:05.0843 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/12/02 20:21:05.0921 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
    2010/12/02 20:21:05.0968 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/12/02 20:21:06.0046 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/12/02 20:21:06.0125 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/12/02 20:21:06.0218 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/12/02 20:21:06.0250 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2010/12/02 20:21:06.0531 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/12/02 20:21:06.0578 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/12/02 20:21:06.0671 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/12/02 20:21:06.0890 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/12/02 20:21:06.0968 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/12/02 20:21:07.0046 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/12/02 20:21:07.0078 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/12/02 20:21:07.0156 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/12/02 20:21:07.0250 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/12/02 20:21:07.0328 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/12/02 20:21:07.0421 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/12/02 20:21:07.0515 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/12/02 20:21:07.0640 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
    2010/12/02 20:21:07.0750 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/12/02 20:21:07.0859 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
    2010/12/02 20:21:07.0968 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/12/02 20:21:08.0093 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    2010/12/02 20:21:08.0187 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/12/02 20:21:08.0296 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/12/02 20:21:08.0515 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
    2010/12/02 20:21:08.0640 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/12/02 20:21:08.0718 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/12/02 20:21:08.0906 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/12/02 20:21:09.0000 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/12/02 20:21:09.0093 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/12/02 20:21:09.0171 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/12/02 20:21:09.0234 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/12/02 20:21:09.0343 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/12/02 20:21:09.0468 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/12/02 20:21:09.0578 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2010/12/02 20:21:09.0687 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/12/02 20:21:09.0765 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/12/02 20:21:09.0843 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/12/02 20:21:09.0921 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/12/02 20:21:10.0000 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/12/02 20:21:10.0046 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2010/12/02 20:21:10.0156 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/12/02 20:21:10.0234 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/12/02 20:21:10.0343 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/12/02 20:21:10.0453 winachsf (473ee64c368ce2eed110376c11960259) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    2010/12/02 20:21:10.0671 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2010/12/02 20:21:10.0796 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2010/12/02 20:21:10.0812 ================================================================================
    2010/12/02 20:21:10.0812 Scan finished
    2010/12/02 20:21:10.0812 ================================================================================
    2010/12/02 20:21:10.0828 Detected object count: 1
    2010/12/02 20:21:29.0281 \HardDisk0 - will be cured after reboot
    2010/12/02 20:21:29.0281 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2010/12/02 20:22:18.0765 Deinitialize success
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I have not ever been able to understand why anyone would use a file sharing site to get a security program! (c:\program files\avg_free_stb_all_2011_1170_cnet.exe)
    This is a torrent download! If you decide to reinstall AVG, I recommend you do it from the home site: Avira Free
    ===========================================
    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines[./b]
    Code:
    KillAll::
    File::
    c:\program files\LimeWireWin.exe
    c:\program files\avg_free_stb_all_2011_1170_cnet.exe
    Folder::
    c:\documents and settings\LAURA\Application Data\AVG10
    c:\documents and settings\All Users\Application Data\Common Files
    c:\documents and settings\All Users\Application Data\AVG10
    
    DDS::
    StartupFolder: c:\docume~1\laura\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
    
    Extra::
    File::
    c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    Firefox::
    Firefox-: - Profile - c:\docume~1\laura\applic~1\mozilla\firefox\profiles\uz25bahy.default\
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    No restore points in system? When the system is clean, you will need to make sure this isn't turned off.
    ======================
    Let's make sure the MBR is clean:
    Download bootkitremover.rar and save it to your desktop.
    • Extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip
    • Double-click on the remover.exe file to run the program.
    • Paste the output in your next reply.
     
  8. lozzapara

    lozzapara TS Rookie Topic Starter

    ComboFix 10-12-03.01 - LAURA 04/12/2010 10:53:16.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.758.547 [GMT 0:00]
    Running from: c:\documents and settings\LAURA\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\LAURA\Desktop\CFScript.txt

    FILE ::
    "c:\program files\avg_free_stb_all_2011_1170_cnet.exe"
    "c:\program files\LimeWireWin.exe"
    "c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}"
    "c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\AVG10
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\admin.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\changecfgreg.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\csl.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\emssrv.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\erd.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\idp.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\krnl.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\mail.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\mailsrv.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\mailsrvvsapi.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\malrep.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\scan.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\sched.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\setup.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\spsrv.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\update.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\updatecomps.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Cfg\user.cfg
    c:\documents and settings\All Users\Application Data\AVG10\cfgall\changecfgreg.cfg
    c:\documents and settings\All Users\Application Data\AVG10\cfgall\falsealarm.cfg
    c:\documents and settings\All Users\Application Data\AVG10\cfgall\krnlall.cfg
    c:\documents and settings\All Users\Application Data\AVG10\cfgall\pctuneupall.cfg
    c:\documents and settings\All Users\Application Data\AVG10\cfgall\updateall.cfg
    c:\documents and settings\All Users\Application Data\AVG10\cfgall\userall.cfg
    c:\documents and settings\All Users\Application Data\AVG10\Chjw\7e1457dc1457964d\avgcchff.dat
    c:\documents and settings\All Users\Application Data\AVG10\Chjw\7e1457dc1457964d\avgcchfi.dat
    c:\documents and settings\All Users\Application Data\AVG10\Chjw\7e1457dc1457964d\avgcchmf.dat
    c:\documents and settings\All Users\Application Data\AVG10\Chjw\7e1457dc1457964d\avgcchmi.dat
    c:\documents and settings\All Users\Application Data\AVG10\log\avgcfg.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgcfg.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgchjw.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgchjw.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgchjwsrv.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgchjwsrv.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.1
    c:\documents and settings\All Users\Application Data\AVG10\log\avgcore.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgcsl.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgcsl.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgemc.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgemc.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgexc.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgexc.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgldr.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgldr.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avglng.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avglng.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgns.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgns.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgpostinst.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgpostinst.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgrkt.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgrkt.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgrs.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgscan.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgscan.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgsched.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgsched.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgsrm.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgsrm.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgtdi.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgtdi.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgual.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgual.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgui.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgui.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgupd.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgupd.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgwd.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\avgwdsvc.log
    c:\documents and settings\All Users\Application Data\AVG10\log\avgwdsvc.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\commonpriv.log
    c:\documents and settings\All Users\Application Data\AVG10\log\commonpriv.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\fixcfg.log
    c:\documents and settings\All Users\Application Data\AVG10\log\fixcfg.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\log\history.xml
    c:\documents and settings\All Users\Application Data\AVG10\log\vault.log
    c:\documents and settings\All Users\Application Data\AVG10\log\vault.log.lock
    c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000005.log
    c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000006.log
    c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000007.log
    c:\documents and settings\All Users\Application Data\AVG10\scanlogs\I_00000008.log
    c:\documents and settings\All Users\Application Data\AVG10\scanlogs\srm.idx
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\AntiRkx.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Antivirx.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Avgx86.msi
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\AVIsx.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\basex.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\COREx.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\COREx86.msi
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Emailsx.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\GUIx.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\idatx.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\IDPx.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\lng_usx.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\OnlnScx.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\ResShldx.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\SrchSrfx.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\SSHttpBx.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\TDIDrvx.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\TuneUpx.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Update2x.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\Updatex.cab
    c:\documents and settings\All Users\Application Data\AVG10\SetupBackup\xplx.cab
    c:\documents and settings\All Users\Application Data\Common Files
    c:\documents and settings\All Users\Application Data\Common Files\FC7458D0-C084-52D0-2F2E-77B3E11420F4.dat
    c:\documents and settings\LAURA\Application Data\AVG10
    c:\documents and settings\LAURA\Application Data\AVG10\cfgall\usergui.cfg
    c:\program files\avg_free_stb_all_2011_1170_cnet.exe
    c:\program files\LimeWireWin.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 )))))))))))))))))))))))))))))))
    .

    2010-12-02 21:29 . 2010-12-02 21:42 -------- d-----w- c:\program files\VS Revo Group
    2010-11-30 12:28 . 2010-12-02 21:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-29 20:15 . 2010-11-29 20:15 -------- d-s---w- c:\documents and settings\NetworkService\UserData
    2010-11-26 20:46 . 2010-11-26 20:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
    2010-11-16 14:36 . 2010-11-16 14:36 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-11-16 14:29 . 2010-11-16 14:31 -------- d-s---w- c:\documents and settings\Administrator

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-24 01:10 . 2010-09-24 01:10 573736 ----a-w- c:\program files\iTunesPhotoProcessor.exe
    2010-09-24 01:10 . 2010-09-24 01:10 294688 ----a-w- c:\program files\iTunesOutlookAddIn.dll
    2010-09-24 01:10 . 2010-09-24 01:10 124200 ----a-w- c:\program files\iTunesMiniPlayer.dll
    2010-09-24 01:10 . 2010-09-24 01:10 421160 ----a-w- c:\program files\iTunesHelper.exe
    2010-09-24 01:10 . 2010-09-24 01:10 387368 ----a-w- c:\program files\iTunesAdmin.dll
    2010-09-24 01:10 . 2010-09-24 01:10 173344 ----a-w- c:\program files\iTunesHelper.dll
    2010-09-24 01:10 . 2010-09-24 01:10 9777448 ----a-w- c:\program files\iTunes.exe
    2010-09-24 01:10 . 2010-09-24 01:10 726304 ----a-w- c:\program files\gnsdk_sdkmanager.dll
    2010-09-24 01:10 . 2010-09-24 01:10 648992 ----a-w- c:\program files\iPodUpdaterExt.dll
    2010-09-24 01:10 . 2010-09-24 01:10 259360 ----a-w- c:\program files\gnsdk_submit.dll
    2010-09-24 01:10 . 2010-09-24 01:10 197920 ----a-w- c:\program files\gnsdk_musicid.dll
    2010-09-24 01:10 . 2010-09-24 01:10 18710816 ----a-w- c:\program files\iTunes.dll
    2010-09-24 01:10 . 2010-09-24 01:10 111912 ----a-w- c:\program files\ITDetector.ocx
    2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .

    ((((((((((((((((((((((((((((( SnapShot_2010-12-02_23.11.54 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-02 23:38 . 2010-12-02 23:38 3065856 c:\windows\Installer\c70e9.msi
    + 2010-12-02 23:35 . 2010-12-02 23:35 1548288 c:\windows\Installer\c70e5.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DriverUpdaterPro"="c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe" [BU]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ACU"="c:\program files\Atheros\ACU.exe" [2005-01-31 253952]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-24 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-24 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-24 114688]
    "SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunesHelper.exe" [2010-09-24 421160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-18 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    [BU]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes.exe"=

    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [21/08/2009 16:31 40464]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2010-12-04 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2010-03-26 22:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    Trusted Zone: neashomeaccess.co.uk\www
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - ProfilePath - c:\documents and settings\LAURA\Application Data\Mozilla\Firefox\Profiles\uz25bahy.default\
    FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=uk&.partner=bt-1&.done=http%3a//bt.yahoo.com/%3f
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: c:\documents and settings\LAURA\Application Data\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\Mozilla Plugins\npitunes.dll
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-04 10:58
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\acs.exe
    c:\windows\SOUNDMAN.EXE
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-12-04 11:00:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-04 11:00
    ComboFix2.txt 2010-12-02 23:13

    Pre-Run: 11,344,338,944 bytes free
    Post-Run: 11,307,397,120 bytes free

    - - End Of File - - AA411D2F79F8CB71CD5857A8C820C148


    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`c8073000
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The logs look good. If the redirect has been resolved, you can now Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you have any more questions.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...