oakland600
Posts: 7 +0
Hi,
Trying to be as specific as possible. Following points provide details and sequence of what I have tried already prior to posting at TechSpot.
1.O/S is Winxp Pro – service pack 3.
2.First thing was avg picking up hundreds of win32/zbot detections about 10 days ago. Also “xgamwtuc.exe – application error” appears and an error relating to a dfrgcfg.dll file when booting PC. Also noticed one or two re-directs in Internet Explorer in the days just prior to the AVG detection. Although the home page was still set ok.
3.Traced location of “xgamwtuc.exe” to c:\documents and settings\dad\local settings\application data\pdlamtll and “dfrgcfg.dll” to c:\documents and settings\dad\local settings\application data\tcpcommsplugin\
4.Noticed a lot of randomly named text files in these locations.
5.Manually deleted all suspect folders and text files.
6.Ran avg rescue disk at boot up and it identified 1000s of infected files. I took the re-name option. Appreciate not always the right thing to do as it can mess up the O/S and apps. However I have a text file of all the re-named system files and can manually change them back to their original name if required.
7.Second thing was to run the rmzbot.exe app from avg. This cleaned all the re-named files. Some files couldn’t be opened. Ran this again.
8.Symptoms at this stage were on boot up – “xgamwtuc.exe – application error” still appears. But not the dfrgcfg.dll error.
9.Can connect to the internet/network but no access to any web-site. When connected 6 text files re-appear one by one in the c:\documents and settings\dad\local settings\application data folder. This stops as soon as I disconnect, however 2 text files are generated in the same location each time I delete the other text files even when off-line.
10.Tried several full scans using AVG anti-virus but pc re-boots itself just after starting the scan.
11.Attempted to disable the xgamwtuc and dfrgcfg.dll exes in MSCONFIG but this only seemed to stop the dfrgcfg.dll exe and not xgamwtuc exe – another xgamwtuc exe entry re-appears after re-boot. Registry entry is at HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
12.MSCONFIG is now running in NORMAL mode causing both the xgamwtuc and dfrgcfg.dll error messages on start-up.
13.Now starting the Techspot clean-up pre-posting process.
14.Removed spybot S&D and AVG from PC. Downloaded Avira onto a laptop and burnt it to disk. Installed Avira and briefly connected the infected pc to the internet to allow avira to update. Ran Avira scan and picked up 105 infections. Healed or removed all of these.
15.Installed Malwarebytes, did update and then full scan. Picked up 9 infections. All healed or removed.
16.Installed GMER. Turned off real-time anti-virus. Unsure if you want a full scan or just the auto gmer scan that it does when first started. Anyway…auto-scan log shown below. Full scan re-boots the PC after a few seconds. So no full scan log available. Tried un-checking the devices option and the pc freezes after a few minutes into the full scan. Unable to enter safe mode to try full gmer scan. When safe mode selected the pc just re-boots. Been a while since I’ve used safe mode but pretty sure it worked ok last time.
17.Ran DDS app – logs shown below.
18.Just ready to post first message and Avira popped up with another detection – “TR/Kazy.48799.5” in “C:\Program Files\Avira\AntiVir Desktop\avguardmgr.exe”. Scanned the file with Malwarebytes which detected a Trojan.Downloader.bh. Log for this scan shown below. Will now re-boot to remove infected file.
19.MSCONFIG no longer shows the xgamwtuc.exe entry but the dfrgcfg.dll is still listed under start-up. MSCONFIG still set to normal load. Nothing is blocked.
20.Symptoms now on re-boot are RUNDLL error message against the dfrgcfg.dll file. Otherwise boots ok. Avira still seems to work ok even though the file avguardmgr.exe has been removed.
21.Text files no longer appear in c:\documents and settings\dad\local settings\application data\ either when connected or not.
22.Can connect to the network/internet but IE doesn’t launch. Firefox launches but doesn’t show any web-site. Haven’t uninstalled/re-installed these two programs yet – that will be the next job but will await instructions before doing anything else.
23.Any help you can give will be much appreciated. Apologies for long post and for any mistakes I’ve made in trying to fix the problem.
24.Thanks in advance for your help.
Ian
Malwarebytes main log:
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2011.12.29.03
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dad :: CONSERVATORY [administrator]
29/12/2011 14:32:59
mbam-log-2011-12-29 (14-32-59).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201773
Time elapsed: 19 minute(s), 4 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 4
HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel|Homepage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 5
C:\RECYCLER\S-1-5-21-1409082233-308236825-839522115-1004\Dc121\xgamwtuc.exe (Trojan.Downloader.bh) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1409082233-308236825-839522115-1004\Dc127\xgamwtuc.exe (Trojan.Downloader.bh) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1409082233-308236825-839522115-1004\Dc240\xgamwtuc.exe (Trojan.Downloader.bh) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\xgamwtuc.exe (Trojan.Downloader.bh) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\poxhyvwiopejwoxv.exe (Trojan.Downloader.bh) -> Quarantined and deleted successfully.
(end)
GMER auto start-up log: (not able to run full scan)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-12-29 15:38:57
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\00000070 Maxtor_6V300F0 rev.VA111900
Running: t7xff30i.exe; Driver: C:\DOCUME~1\Dad\LOCALS~1\Temp\ufldrpow.sys
---- System - GMER 1.0.15 ----
SSDT spwq.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spwq.sys ZwEnumerateValueKey [0xB9EC7030]
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi \Device\Ide\IdePort0 [B9DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B9DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B9DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\imagedrv \Device\Scsi\imagedrv1 8A7551F8
Device \Driver\ab26jqzm \Device\Scsi\ab26jqzm1Port5Path0Target0Lun0 8A2C71F8
Device \Driver\ab26jqzm \Device\Scsi\ab26jqzm1 8A2C71F8
Device \Driver\imagedrv \Device\Scsi\imagedrv1Port4Path0Target0Lun0 8A7551F8
Device \FileSystem\Ntfs \Ntfs 8A7541F8
---- EOF - GMER 1.0.15 ----
DDS-Attach log:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 05/05/2008 21:26:25
System Uptime: 29/12/2011 16:01:03 (0 hours ago)
.
Motherboard: WinFast | | C51MCP51
Processor: AMD Athlon(tm) 64 Processor 3700+ | Socket 939 | 2210/201mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 279 GiB total, 9.131 GiB free.
D: is CDROM (UDF)
E: is CDROM ()
G: is FIXED (NTFS) - 466 GiB total, 48.051 GiB free.
H: is CDROM ()
I: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Maxtor 1394 Storage Front Panel*
Device ID: 1394\MAXTOR&1394_STORAGE_FRONT_PANEL*\73F68C0020B91000
Manufacturer:
Name: Maxtor 1394 Storage Front Panel*
PNP Device ID: 1394\MAXTOR&1394_STORAGE_FRONT_PANEL*\73F68C0020B91000
Service:
.
Class GUID: {4D36E967-E325-11CE-BFC1-08002BE10318}
Description: Disk drive
Device ID: SBP2\MAXTOR&ONETOUCH&LUN0\0010B920008CF673
Manufacturer: (Standard disk drives)
Name: Maxtor OneTouch IEEE 1394 SBP2 Device
PNP Device ID: SBP2\MAXTOR&ONETOUCH&LUN0\0010B920008CF673
Service: disk
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
AC3Filter 1.62b
Adobe Acrobat 4.0
Adobe AIR
Adobe Community Help
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Photoshop CS5.1
Adobe Reader 8.3.1
µTorrent
Avira Free Antivirus
Canon MP Navigator EX 3.0
Canon MP560 series MP Drivers
Canon MP560 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
CompuApps SwissKnife V3
ConvertXtoDVD 2.2.3.258
DivX Setup
FileZilla Client 3.5.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB981793)
InterVideo DeviceService
Java(TM) 6 Update 11
LDC Driving Test Complete
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires Gold
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Software Update for Web Folders (English) 14
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft WSE 3.0 Runtime
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
Mozilla Firefox (3.5.3)
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Ultra Edition
neroxml
NOMAD Jukebox 3
NOMAD Jukebox 3 Driver
NVIDIA Drivers
PDF Settings CS5
Realtek AC'97 Audio
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
SmartPad Software 1.0
Success Builder Algebra 1
SuperUtility
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.6195
WebFldrs XP
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows XP Service Pack 3
WinRAR archiver
Xilisoft Video Converter Ultimate
.
==== Event Viewer Messages From Past Week ========
.
29/12/2011 15:41:23, error: System Error [1003] - Error code 1000007e, parameter1 c0000005, parameter2 805446b2, parameter3 ba56f868, parameter4 ba56f564.
29/12/2011 15:38:04, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 805446b2, parameter3 ab82daa4, parameter4 00000000.
29/12/2011 15:33:21, error: nvatabus [6] - Device Maxtor 6V300F0 [V60CYKKG] timed out an I/O operation.
29/12/2011 15:12:34, error: sbp2port [4] - Driver detected an internal error in its data structures for .
29/12/2011 14:29:01, error: MRxSmb [8003] - The master browser has received a server announcement from the computer DAD-LAP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{7B72DCF6-05A4-4F9E-A. The master browser is stopping or an election is being forced.
29/12/2011 14:10:05, error: System Error [1003] - Error code 000000c2, parameter1 00000007, parameter2 00000cd4, parameter3 00000000, parameter4 ffdffffe.
29/12/2011 13:48:30, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
29/12/2011 13:48:26, error: SRService [104] - The System Restore initialization process failed.
28/12/2011 19:20:24, error: Service Control Manager [7034] - The Avira Realtime Protection service terminated unexpectedly. It has done this 4 time(s).
28/12/2011 18:58:47, error: Service Control Manager [7034] - The Avira Realtime Protection service terminated unexpectedly. It has done this 3 time(s).
28/12/2011 18:58:45, error: Service Control Manager [7031] - The Avira Realtime Protection service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
28/12/2011 18:58:43, error: Service Control Manager [7031] - The Avira Realtime Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
28/12/2011 18:57:37, error: sbp2port [9] - The device, , did not respond within the timeout period.
.
==== End Of File ===========================
DDS-log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Dad at 16:20:05 on 2011-12-29
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1649 [GMT 0:00]
.
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Elan\USB\ETDUSBCtrl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Dfrgcfg32] rundll32.exe "c:\documents and settings\dad\local settings\application data\tcpcommsplugin\Dfrgcfg32.dll",appWICres isaapisvc
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [AAWTray] c:\program files\lavasoft\ad-aware 2007\AAWTray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ETDUSBWare] c:\program files\elan\usb\ETDUSBCtrl.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{7B72DCF6-05A4-4F9E-AA3A-7AE40B17951D} : NameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dad\application data\mozilla\firefox\profiles\g587as8g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\DivXHTML5
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: QuickWiki: {EE223D7A-F30F-11DD-8F0A-D2AD55D89593} - %profile%\extensions\{EE223D7A-F30F-11DD-8F0A-D2AD55D89593}
FF - Ext: TableTools2: tabletools2@mingyi.org - %profile%\extensions\tabletools2@mingyi.org
FF - Ext: Pixlr Grabber: {d47a9f51-8281-43fa-f450-f28ef8735e9a} - %profile%\extensions\{d47a9f51-8281-43fa-f450-f28ef8735e9a}
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-12-28 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-12-28 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-12-28 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-12-28 74640]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2009-5-15 14976]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 hidflt;Elan HID/USB Mouse Driver;c:\windows\system32\drivers\ETDUSB.sys [2009-7-16 25088]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
2011-12-29 14:29:54 -------- d-----w- c:\documents and settings\dad\application data\Malwarebytes
2011-12-29 14:29:43 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-29 14:29:39 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-29 14:29:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-28 19:01:11 -------- d-----w- c:\documents and settings\dad\application data\Avira
2011-12-28 18:55:04 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-12-28 18:55:04 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-12-28 18:55:04 -------- d-----w- c:\program files\Avira
2011-12-28 18:55:04 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-12-28 18:52:08 -------- d-----w- c:\documents and settings\dad\local settings\application data\pdlamtll
2011-12-17 09:02:08 -------- d--h--w- C:\$AVG8.VAULT$
2011-12-07 21:18:15 -------- d-----w- c:\documents and settings\dad\local settings\application data\tcpCommsplugin
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-11 19:46:53 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-20 23:26:22 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 16:21:09.81 ===============
Malwarebytes log against file avguardmgr.exe:
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2011.12.29.03
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dad :: CONSERVATORY [administrator]
29/12/2011 17:10:40
mbam-log-2011-12-29 (17-10-40).txt
Scan type: Custom scan
Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P
Objects scanned: 1
Time elapsed: 2 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Program Files\Avira\AntiVir Desktop\avguardmgr.exe (Trojan.Downloader.bh) -> Delete on reboot.
(end)
Trying to be as specific as possible. Following points provide details and sequence of what I have tried already prior to posting at TechSpot.
1.O/S is Winxp Pro – service pack 3.
2.First thing was avg picking up hundreds of win32/zbot detections about 10 days ago. Also “xgamwtuc.exe – application error” appears and an error relating to a dfrgcfg.dll file when booting PC. Also noticed one or two re-directs in Internet Explorer in the days just prior to the AVG detection. Although the home page was still set ok.
3.Traced location of “xgamwtuc.exe” to c:\documents and settings\dad\local settings\application data\pdlamtll and “dfrgcfg.dll” to c:\documents and settings\dad\local settings\application data\tcpcommsplugin\
4.Noticed a lot of randomly named text files in these locations.
5.Manually deleted all suspect folders and text files.
6.Ran avg rescue disk at boot up and it identified 1000s of infected files. I took the re-name option. Appreciate not always the right thing to do as it can mess up the O/S and apps. However I have a text file of all the re-named system files and can manually change them back to their original name if required.
7.Second thing was to run the rmzbot.exe app from avg. This cleaned all the re-named files. Some files couldn’t be opened. Ran this again.
8.Symptoms at this stage were on boot up – “xgamwtuc.exe – application error” still appears. But not the dfrgcfg.dll error.
9.Can connect to the internet/network but no access to any web-site. When connected 6 text files re-appear one by one in the c:\documents and settings\dad\local settings\application data folder. This stops as soon as I disconnect, however 2 text files are generated in the same location each time I delete the other text files even when off-line.
10.Tried several full scans using AVG anti-virus but pc re-boots itself just after starting the scan.
11.Attempted to disable the xgamwtuc and dfrgcfg.dll exes in MSCONFIG but this only seemed to stop the dfrgcfg.dll exe and not xgamwtuc exe – another xgamwtuc exe entry re-appears after re-boot. Registry entry is at HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
12.MSCONFIG is now running in NORMAL mode causing both the xgamwtuc and dfrgcfg.dll error messages on start-up.
13.Now starting the Techspot clean-up pre-posting process.
14.Removed spybot S&D and AVG from PC. Downloaded Avira onto a laptop and burnt it to disk. Installed Avira and briefly connected the infected pc to the internet to allow avira to update. Ran Avira scan and picked up 105 infections. Healed or removed all of these.
15.Installed Malwarebytes, did update and then full scan. Picked up 9 infections. All healed or removed.
16.Installed GMER. Turned off real-time anti-virus. Unsure if you want a full scan or just the auto gmer scan that it does when first started. Anyway…auto-scan log shown below. Full scan re-boots the PC after a few seconds. So no full scan log available. Tried un-checking the devices option and the pc freezes after a few minutes into the full scan. Unable to enter safe mode to try full gmer scan. When safe mode selected the pc just re-boots. Been a while since I’ve used safe mode but pretty sure it worked ok last time.
17.Ran DDS app – logs shown below.
18.Just ready to post first message and Avira popped up with another detection – “TR/Kazy.48799.5” in “C:\Program Files\Avira\AntiVir Desktop\avguardmgr.exe”. Scanned the file with Malwarebytes which detected a Trojan.Downloader.bh. Log for this scan shown below. Will now re-boot to remove infected file.
19.MSCONFIG no longer shows the xgamwtuc.exe entry but the dfrgcfg.dll is still listed under start-up. MSCONFIG still set to normal load. Nothing is blocked.
20.Symptoms now on re-boot are RUNDLL error message against the dfrgcfg.dll file. Otherwise boots ok. Avira still seems to work ok even though the file avguardmgr.exe has been removed.
21.Text files no longer appear in c:\documents and settings\dad\local settings\application data\ either when connected or not.
22.Can connect to the network/internet but IE doesn’t launch. Firefox launches but doesn’t show any web-site. Haven’t uninstalled/re-installed these two programs yet – that will be the next job but will await instructions before doing anything else.
23.Any help you can give will be much appreciated. Apologies for long post and for any mistakes I’ve made in trying to fix the problem.
24.Thanks in advance for your help.
Ian
Malwarebytes main log:
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2011.12.29.03
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dad :: CONSERVATORY [administrator]
29/12/2011 14:32:59
mbam-log-2011-12-29 (14-32-59).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201773
Time elapsed: 19 minute(s), 4 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 4
HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel|Homepage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 5
C:\RECYCLER\S-1-5-21-1409082233-308236825-839522115-1004\Dc121\xgamwtuc.exe (Trojan.Downloader.bh) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1409082233-308236825-839522115-1004\Dc127\xgamwtuc.exe (Trojan.Downloader.bh) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1409082233-308236825-839522115-1004\Dc240\xgamwtuc.exe (Trojan.Downloader.bh) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\xgamwtuc.exe (Trojan.Downloader.bh) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\poxhyvwiopejwoxv.exe (Trojan.Downloader.bh) -> Quarantined and deleted successfully.
(end)
GMER auto start-up log: (not able to run full scan)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-12-29 15:38:57
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\00000070 Maxtor_6V300F0 rev.VA111900
Running: t7xff30i.exe; Driver: C:\DOCUME~1\Dad\LOCALS~1\Temp\ufldrpow.sys
---- System - GMER 1.0.15 ----
SSDT spwq.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spwq.sys ZwEnumerateValueKey [0xB9EC7030]
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi \Device\Ide\IdePort0 [B9DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B9DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B9DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\imagedrv \Device\Scsi\imagedrv1 8A7551F8
Device \Driver\ab26jqzm \Device\Scsi\ab26jqzm1Port5Path0Target0Lun0 8A2C71F8
Device \Driver\ab26jqzm \Device\Scsi\ab26jqzm1 8A2C71F8
Device \Driver\imagedrv \Device\Scsi\imagedrv1Port4Path0Target0Lun0 8A7551F8
Device \FileSystem\Ntfs \Ntfs 8A7541F8
---- EOF - GMER 1.0.15 ----
DDS-Attach log:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 05/05/2008 21:26:25
System Uptime: 29/12/2011 16:01:03 (0 hours ago)
.
Motherboard: WinFast | | C51MCP51
Processor: AMD Athlon(tm) 64 Processor 3700+ | Socket 939 | 2210/201mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 279 GiB total, 9.131 GiB free.
D: is CDROM (UDF)
E: is CDROM ()
G: is FIXED (NTFS) - 466 GiB total, 48.051 GiB free.
H: is CDROM ()
I: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Maxtor 1394 Storage Front Panel*
Device ID: 1394\MAXTOR&1394_STORAGE_FRONT_PANEL*\73F68C0020B91000
Manufacturer:
Name: Maxtor 1394 Storage Front Panel*
PNP Device ID: 1394\MAXTOR&1394_STORAGE_FRONT_PANEL*\73F68C0020B91000
Service:
.
Class GUID: {4D36E967-E325-11CE-BFC1-08002BE10318}
Description: Disk drive
Device ID: SBP2\MAXTOR&ONETOUCH&LUN0\0010B920008CF673
Manufacturer: (Standard disk drives)
Name: Maxtor OneTouch IEEE 1394 SBP2 Device
PNP Device ID: SBP2\MAXTOR&ONETOUCH&LUN0\0010B920008CF673
Service: disk
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
AC3Filter 1.62b
Adobe Acrobat 4.0
Adobe AIR
Adobe Community Help
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Photoshop CS5.1
Adobe Reader 8.3.1
µTorrent
Avira Free Antivirus
Canon MP Navigator EX 3.0
Canon MP560 series MP Drivers
Canon MP560 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
CompuApps SwissKnife V3
ConvertXtoDVD 2.2.3.258
DivX Setup
FileZilla Client 3.5.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB981793)
InterVideo DeviceService
Java(TM) 6 Update 11
LDC Driving Test Complete
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires Gold
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Software Update for Web Folders (English) 14
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft WSE 3.0 Runtime
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
Mozilla Firefox (3.5.3)
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Ultra Edition
neroxml
NOMAD Jukebox 3
NOMAD Jukebox 3 Driver
NVIDIA Drivers
PDF Settings CS5
Realtek AC'97 Audio
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
SmartPad Software 1.0
Success Builder Algebra 1
SuperUtility
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.6195
WebFldrs XP
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows XP Service Pack 3
WinRAR archiver
Xilisoft Video Converter Ultimate
.
==== Event Viewer Messages From Past Week ========
.
29/12/2011 15:41:23, error: System Error [1003] - Error code 1000007e, parameter1 c0000005, parameter2 805446b2, parameter3 ba56f868, parameter4 ba56f564.
29/12/2011 15:38:04, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 805446b2, parameter3 ab82daa4, parameter4 00000000.
29/12/2011 15:33:21, error: nvatabus [6] - Device Maxtor 6V300F0 [V60CYKKG] timed out an I/O operation.
29/12/2011 15:12:34, error: sbp2port [4] - Driver detected an internal error in its data structures for .
29/12/2011 14:29:01, error: MRxSmb [8003] - The master browser has received a server announcement from the computer DAD-LAP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{7B72DCF6-05A4-4F9E-A. The master browser is stopping or an election is being forced.
29/12/2011 14:10:05, error: System Error [1003] - Error code 000000c2, parameter1 00000007, parameter2 00000cd4, parameter3 00000000, parameter4 ffdffffe.
29/12/2011 13:48:30, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
29/12/2011 13:48:26, error: SRService [104] - The System Restore initialization process failed.
28/12/2011 19:20:24, error: Service Control Manager [7034] - The Avira Realtime Protection service terminated unexpectedly. It has done this 4 time(s).
28/12/2011 18:58:47, error: Service Control Manager [7034] - The Avira Realtime Protection service terminated unexpectedly. It has done this 3 time(s).
28/12/2011 18:58:45, error: Service Control Manager [7031] - The Avira Realtime Protection service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
28/12/2011 18:58:43, error: Service Control Manager [7031] - The Avira Realtime Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
28/12/2011 18:57:37, error: sbp2port [9] - The device, , did not respond within the timeout period.
.
==== End Of File ===========================
DDS-log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Dad at 16:20:05 on 2011-12-29
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1649 [GMT 0:00]
.
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Elan\USB\ETDUSBCtrl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Dfrgcfg32] rundll32.exe "c:\documents and settings\dad\local settings\application data\tcpcommsplugin\Dfrgcfg32.dll",appWICres isaapisvc
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [AAWTray] c:\program files\lavasoft\ad-aware 2007\AAWTray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ETDUSBWare] c:\program files\elan\usb\ETDUSBCtrl.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{7B72DCF6-05A4-4F9E-AA3A-7AE40B17951D} : NameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dad\application data\mozilla\firefox\profiles\g587as8g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\DivXHTML5
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: QuickWiki: {EE223D7A-F30F-11DD-8F0A-D2AD55D89593} - %profile%\extensions\{EE223D7A-F30F-11DD-8F0A-D2AD55D89593}
FF - Ext: TableTools2: tabletools2@mingyi.org - %profile%\extensions\tabletools2@mingyi.org
FF - Ext: Pixlr Grabber: {d47a9f51-8281-43fa-f450-f28ef8735e9a} - %profile%\extensions\{d47a9f51-8281-43fa-f450-f28ef8735e9a}
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-12-28 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-12-28 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-12-28 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-12-28 74640]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2009-5-15 14976]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 hidflt;Elan HID/USB Mouse Driver;c:\windows\system32\drivers\ETDUSB.sys [2009-7-16 25088]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
2011-12-29 14:29:54 -------- d-----w- c:\documents and settings\dad\application data\Malwarebytes
2011-12-29 14:29:43 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-29 14:29:39 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-29 14:29:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-28 19:01:11 -------- d-----w- c:\documents and settings\dad\application data\Avira
2011-12-28 18:55:04 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-12-28 18:55:04 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-12-28 18:55:04 -------- d-----w- c:\program files\Avira
2011-12-28 18:55:04 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-12-28 18:52:08 -------- d-----w- c:\documents and settings\dad\local settings\application data\pdlamtll
2011-12-17 09:02:08 -------- d--h--w- C:\$AVG8.VAULT$
2011-12-07 21:18:15 -------- d-----w- c:\documents and settings\dad\local settings\application data\tcpCommsplugin
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-11 19:46:53 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-20 23:26:22 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 16:21:09.81 ===============
Malwarebytes log against file avguardmgr.exe:
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2011.12.29.03
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dad :: CONSERVATORY [administrator]
29/12/2011 17:10:40
mbam-log-2011-12-29 (17-10-40).txt
Scan type: Custom scan
Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P
Objects scanned: 1
Time elapsed: 2 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Program Files\Avira\AntiVir Desktop\avguardmgr.exe (Trojan.Downloader.bh) -> Delete on reboot.
(end)