Hi there,
Sorry to bother you, had a problem last year and you all were incredibly helpful. Very recently, started getting multiple pop-ups from some sites, particularly when initiating a Google search. WOT registered most of these sites as dangerous. Ran a scan using I've my anti-virus program (AVG) last week, came up with 56 warnings and 7 infected files (all Trojans - can provide specifics, if that would be helpful). Previous automated scans hadn't caught anything. Pop-up infestation continues, even though subsequent scans haven't caught any infected files. Very concerned, so ran through preliminary instructions. Logs are below (I noticed the DDS log mentioned something about "possible rootkit infection," hence the title). Please let me know if there's further info I can provide, and thanks for any assistance/advice you can offer:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4005
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
2/14/2011 3:19:17 PM
mbam-log-2011-02-14 (15-19-17).txt
Scan type: Quick scan
Objects scanned: 112445
Time elapsed: 7 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-14 15:35:57
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD800BB-75JHA0 rev.05.01C05
Running: 049qrymt.exe; Driver: C:\DOCUME~1\Liz\LOCALS~1\Temp\ufddipod.sys
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 822FF5F5
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 822FF5F5
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 822FF5F5
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 822FF5F5
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800BB-75JHA0______________________05.01C05#5&2713bb34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- EOF - GMER 1.0.15 ----
DDS (Ver_10-12-12.02) - NTFSx86
Run by Liz at 15:45:26.21 on Mon 02/14/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.95 [GMT -5:00]
AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *Enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
svchost.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Panasonic\PHOTOfunSTUDIO 4.0\AutoStartupService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Liz\My Documents\Downloads\dds(2).scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_home
uInternet Connection Wizard,ShellNext = https://activate.verizon.net/launch/res1/html/vol_with_msn_help.html
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Motive SmartBridge] c:\progra~1\verizo~1\smartb~1\MotiveSB.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio 4.0\AutoStartupService.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269205387408
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170535137421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
mASetup: {4BFBEBE3-34EC-4BEF-9BA9-8FEABF8C1B75} - rundll32.exe "c:\documents and settings\liz\application data\sun\iimsu.dll", UnregisterDll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\liz\applic~1\mozilla\firefox\profiles\3hljs8kd.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4bafb9c7&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - component: c:\documents and settings\liz\application data\mozilla\firefox\profiles\3hljs8kd.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\liz\application data\mozilla\firefox\profiles\3hljs8kd.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\liz\application data\mozilla\firefox\profiles\3hljs8kd.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox
FF - Ext: AVG Security Toolbar em:version=6.010.006.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg9\toolbar\firefox\avg@igeared
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-28 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-28 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-28 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
S1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\mpfirewall.sys --> c:\windows\system32\drivers\MpFirewall.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys --> c:\windows\system32\drivers\naiavf5x.sys [?]
=============== Created Last 30 ================
2011-02-06 18:16:52 90112 ------w- c:\windows\Updreg.EXE
2011-02-06 18:16:49 84992 ------w- c:\windows\system32\SFCVRT32.DLL
2011-02-06 18:16:49 53552 ------w- c:\windows\CTCCW.DLL
2011-02-06 18:16:49 40960 ------w- c:\windows\system32\AC3API.DLL
2011-02-06 18:16:49 24976 ------w- c:\windows\CTRES.DLL
2011-02-06 18:16:47 82432 ------w- c:\windows\system32\CTWFLT32.DLL
2011-02-06 18:16:47 26768 ------w- c:\windows\system32\CTL3D.DLL
2011-02-06 18:16:45 -------- d-----w- c:\windows\system32\Defaults
2011-02-06 18:14:19 176128 ----a-w- c:\windows\system32\USBAudio.cpl
2011-02-06 18:14:19 135168 ----a-w- c:\windows\system32\USBAudio.crl
2011-02-06 18:12:34 15840 ----a-w- c:\windows\system32\drivers\Pfmodnt.sys
2011-02-06 17:22:20 -------- d-----w- c:\docume~1\liz\applic~1\AVG9
2011-02-03 03:55:59 -------- d-----w- c:\docume~1\liz\applic~1\whitesmoketoolbar
2011-02-02 02:14:53 -------- d-----w- c:\program files\whitesmoketoolbar
==================== Find3M ====================
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-75JHA0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x822FF7AF]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x823059b0]; MOV EAX, [0x82305a2c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8234DAB8]
3 CLASSPNP[0xF85F905B] -> nt!IofCallDriver[0x804E37D5] -> [0x82352BD0]
\Driver\atapi[0x82367030] -> IRP_MJ_CREATE -> 0x822FF7AF
kernel: MBR read successfully
_asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800BB-75JHA0______________________05.01C05#5&2713bb34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x822FF5F5
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 15:46:29.70 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-12-12.02)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/20/2010 3:38:20 PM
System Uptime: 2/14/2011 3:08:19 PM (0 hours ago)
Motherboard: Dell Computer Corp. | | 0F8403
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/533mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 71 GiB total, 2.844 GiB free.
D: is CDROM ()
E: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID:
Description:
Device ID: ROOT\LEGACY_MCDETECT.EXE\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_MCDETECT.EXE\0000
Service:
Class GUID:
Description:
Device ID: ROOT\LEGACY_MCSHIELD\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_MCSHIELD\0000
Service:
Class GUID:
Description:
Device ID: ROOT\LEGACY_MCTSKSHD.EXE\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_MCTSKSHD.EXE\0000
Service:
Class GUID:
Description:
Device ID: ROOT\LEGACY_MCUPDMGR.EXE\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_MCUPDMGR.EXE\0000
Service:
Class GUID:
Description:
Device ID: ROOT\LEGACY_MPFSERVICE\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_MPFSERVICE\0000
Service:
==== System Restore Points ===================
RP215: 1/1/2011 11:39:36 PM - System Checkpoint
RP216: 1/3/2011 1:01:05 AM - System Checkpoint
RP217: 1/4/2011 1:39:42 AM - System Checkpoint
RP218: 1/5/2011 2:18:08 AM - System Checkpoint
RP219: 1/6/2011 2:39:42 AM - System Checkpoint
RP220: 1/7/2011 3:39:38 AM - System Checkpoint
RP221: 1/8/2011 3:55:12 PM - System Checkpoint
RP222: 1/9/2011 4:09:41 PM - System Checkpoint
RP223: 1/10/2011 4:43:07 PM - System Checkpoint
RP224: 1/11/2011 10:24:11 PM - System Checkpoint
RP225: 1/13/2011 3:00:26 AM - Software Distribution Service 3.0
RP226: 1/17/2011 8:16:36 PM - System Checkpoint
RP227: 1/18/2011 8:42:10 PM - System Checkpoint
RP228: 1/20/2011 12:05:14 AM - System Checkpoint
RP229: 1/21/2011 12:16:40 AM - System Checkpoint
RP230: 1/22/2011 1:15:58 AM - System Checkpoint
RP231: 1/23/2011 2:16:00 AM - System Checkpoint
RP232: 1/24/2011 3:16:06 AM - System Checkpoint
RP233: 1/25/2011 3:56:27 AM - System Checkpoint
RP234: 1/26/2011 8:54:51 PM - System Checkpoint
RP235: 1/31/2011 10:40:14 PM - System Checkpoint
RP236: 2/1/2011 11:05:39 PM - System Checkpoint
RP237: 2/5/2011 11:54:24 AM - Installed HiJackThis
RP238: 2/5/2011 3:19:24 PM - Removed EarthLink setup files
RP239: 2/5/2011 3:21:02 PM - Removed Musicmatch for Windows Media Player
RP240: 2/5/2011 3:21:43 PM - Removed NetZeroInstallers
RP241: 2/5/2011 3:22:34 PM - Removed Sound Blaster Audigy
RP242: 2/5/2011 3:22:57 PM - Configured Your Application Name
RP243: 2/5/2011 3:23:12 PM - Configured Your Application Name
RP244: 2/5/2011 3:23:28 PM - Configured Your Application Name
RP245: 2/5/2011 3:23:41 PM - Configured Your Application Name
RP246: 2/5/2011 3:26:16 PM - Removed Sonic Update Manager
RP247: 2/6/2011 1:13:34 PM - Installed Sound Blaster Audigy
RP248: 2/6/2011 1:13:55 PM - Installed Your Application Name
RP249: 2/6/2011 1:54:47 PM - Configured E-Center
RP250: 2/6/2011 1:52:34 PM - Installed Your Application Name
RP251: 2/6/2011 1:53:29 PM - Configured Your Application Name
RP252: 2/6/2011 1:53:57 PM - Installed Your Application Name
RP253: 2/6/2011 1:54:26 PM - Installed Your Application Name
RP254: 2/7/2011 9:04:05 PM - System Checkpoint
RP255: 2/8/2011 9:09:07 PM - System Checkpoint
RP256: 2/9/2011 10:25:05 PM - System Checkpoint
RP257: 2/10/2011 11:14:11 PM - System Checkpoint
RP258: 2/11/2011 11:42:33 PM - System Checkpoint
RP259: 2/13/2011 12:14:11 AM - System Checkpoint
RP260: 2/14/2011 12:15:35 AM - System Checkpoint
==== Installed Programs ======================
ABBYY FineReader 5.0 Sprint Plus
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 Plugin
Adobe Illustrator 10
Adobe Photoshop 7.0
Adobe Reader 6.0.1
Adobe SVG Viewer 3.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audible Download Manager
AVG Free 9.0
Banctec Service Agreement
Bonjour
Conexant D850 56K V.9x DFVc Modem
Creative MediaSource
Dell Driver Reset Tool
Dell Media Experience
Dell Photo AIO Printer 922
Dell Picture Studio v3.0
Dell System Restore
DellSupport
Digital Line Detect
Engine Installer
G5a922EN
Get High Speed Internet!
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iPod for Windows 2005-06-26
iTunes
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 16
Learn2 Player (Uninstall Only)
Macromedia Flash Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 Small Business
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Modem Helper
Mozilla Firefox (3.6.13)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Musicmatch® Jukebox
My Way Search Assistant
NetWaiting
PHOTOfunSTUDIO 4.0
PowerDVD 5.3
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Sonic DLA
Sonic RecordNow!
Sony USB Driver
Sound Blaster Live! 24-bit
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB925720)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)
Verizon Online
Verizon Online Support Center
Viewpoint Media Player
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
WordPerfect Office 12
==== Event Viewer Messages From Past Week ========
2/7/2011 8:10:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: MPFIREWL
2/14/2011 2:58:52 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 2:58:52 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 2:58:52 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 2:58:49 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 2:58:49 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
2/14/2011 2:58:49 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
==== End Of File ===========================
Sorry to bother you, had a problem last year and you all were incredibly helpful. Very recently, started getting multiple pop-ups from some sites, particularly when initiating a Google search. WOT registered most of these sites as dangerous. Ran a scan using I've my anti-virus program (AVG) last week, came up with 56 warnings and 7 infected files (all Trojans - can provide specifics, if that would be helpful). Previous automated scans hadn't caught anything. Pop-up infestation continues, even though subsequent scans haven't caught any infected files. Very concerned, so ran through preliminary instructions. Logs are below (I noticed the DDS log mentioned something about "possible rootkit infection," hence the title). Please let me know if there's further info I can provide, and thanks for any assistance/advice you can offer:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4005
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
2/14/2011 3:19:17 PM
mbam-log-2011-02-14 (15-19-17).txt
Scan type: Quick scan
Objects scanned: 112445
Time elapsed: 7 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-14 15:35:57
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD800BB-75JHA0 rev.05.01C05
Running: 049qrymt.exe; Driver: C:\DOCUME~1\Liz\LOCALS~1\Temp\ufddipod.sys
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 822FF5F5
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 822FF5F5
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 822FF5F5
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 822FF5F5
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800BB-75JHA0______________________05.01C05#5&2713bb34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- EOF - GMER 1.0.15 ----
DDS (Ver_10-12-12.02) - NTFSx86
Run by Liz at 15:45:26.21 on Mon 02/14/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.95 [GMT -5:00]
AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *Enabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
svchost.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Panasonic\PHOTOfunSTUDIO 4.0\AutoStartupService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Liz\My Documents\Downloads\dds(2).scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_home
uInternet Connection Wizard,ShellNext = https://activate.verizon.net/launch/res1/html/vol_with_msn_help.html
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Motive SmartBridge] c:\progra~1\verizo~1\smartb~1\MotiveSB.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio 4.0\AutoStartupService.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269205387408
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170535137421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
mASetup: {4BFBEBE3-34EC-4BEF-9BA9-8FEABF8C1B75} - rundll32.exe "c:\documents and settings\liz\application data\sun\iimsu.dll", UnregisterDll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\liz\applic~1\mozilla\firefox\profiles\3hljs8kd.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4bafb9c7&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - component: c:\documents and settings\liz\application data\mozilla\firefox\profiles\3hljs8kd.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\liz\application data\mozilla\firefox\profiles\3hljs8kd.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\liz\application data\mozilla\firefox\profiles\3hljs8kd.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox
FF - Ext: AVG Security Toolbar em:version=6.010.006.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg9\toolbar\firefox\avg@igeared
============= SERVICES / DRIVERS ===============
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-28 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-28 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-28 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
S1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\mpfirewall.sys --> c:\windows\system32\drivers\MpFirewall.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys --> c:\windows\system32\drivers\naiavf5x.sys [?]
=============== Created Last 30 ================
2011-02-06 18:16:52 90112 ------w- c:\windows\Updreg.EXE
2011-02-06 18:16:49 84992 ------w- c:\windows\system32\SFCVRT32.DLL
2011-02-06 18:16:49 53552 ------w- c:\windows\CTCCW.DLL
2011-02-06 18:16:49 40960 ------w- c:\windows\system32\AC3API.DLL
2011-02-06 18:16:49 24976 ------w- c:\windows\CTRES.DLL
2011-02-06 18:16:47 82432 ------w- c:\windows\system32\CTWFLT32.DLL
2011-02-06 18:16:47 26768 ------w- c:\windows\system32\CTL3D.DLL
2011-02-06 18:16:45 -------- d-----w- c:\windows\system32\Defaults
2011-02-06 18:14:19 176128 ----a-w- c:\windows\system32\USBAudio.cpl
2011-02-06 18:14:19 135168 ----a-w- c:\windows\system32\USBAudio.crl
2011-02-06 18:12:34 15840 ----a-w- c:\windows\system32\drivers\Pfmodnt.sys
2011-02-06 17:22:20 -------- d-----w- c:\docume~1\liz\applic~1\AVG9
2011-02-03 03:55:59 -------- d-----w- c:\docume~1\liz\applic~1\whitesmoketoolbar
2011-02-02 02:14:53 -------- d-----w- c:\program files\whitesmoketoolbar
==================== Find3M ====================
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-75JHA0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x822FF7AF]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x823059b0]; MOV EAX, [0x82305a2c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8234DAB8]
3 CLASSPNP[0xF85F905B] -> nt!IofCallDriver[0x804E37D5] -> [0x82352BD0]
\Driver\atapi[0x82367030] -> IRP_MJ_CREATE -> 0x822FF7AF
kernel: MBR read successfully
_asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800BB-75JHA0______________________05.01C05#5&2713bb34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x822FF5F5
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 15:46:29.70 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-12-12.02)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/20/2010 3:38:20 PM
System Uptime: 2/14/2011 3:08:19 PM (0 hours ago)
Motherboard: Dell Computer Corp. | | 0F8403
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/533mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 71 GiB total, 2.844 GiB free.
D: is CDROM ()
E: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID:
Description:
Device ID: ROOT\LEGACY_MCDETECT.EXE\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_MCDETECT.EXE\0000
Service:
Class GUID:
Description:
Device ID: ROOT\LEGACY_MCSHIELD\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_MCSHIELD\0000
Service:
Class GUID:
Description:
Device ID: ROOT\LEGACY_MCTSKSHD.EXE\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_MCTSKSHD.EXE\0000
Service:
Class GUID:
Description:
Device ID: ROOT\LEGACY_MCUPDMGR.EXE\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_MCUPDMGR.EXE\0000
Service:
Class GUID:
Description:
Device ID: ROOT\LEGACY_MPFSERVICE\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_MPFSERVICE\0000
Service:
==== System Restore Points ===================
RP215: 1/1/2011 11:39:36 PM - System Checkpoint
RP216: 1/3/2011 1:01:05 AM - System Checkpoint
RP217: 1/4/2011 1:39:42 AM - System Checkpoint
RP218: 1/5/2011 2:18:08 AM - System Checkpoint
RP219: 1/6/2011 2:39:42 AM - System Checkpoint
RP220: 1/7/2011 3:39:38 AM - System Checkpoint
RP221: 1/8/2011 3:55:12 PM - System Checkpoint
RP222: 1/9/2011 4:09:41 PM - System Checkpoint
RP223: 1/10/2011 4:43:07 PM - System Checkpoint
RP224: 1/11/2011 10:24:11 PM - System Checkpoint
RP225: 1/13/2011 3:00:26 AM - Software Distribution Service 3.0
RP226: 1/17/2011 8:16:36 PM - System Checkpoint
RP227: 1/18/2011 8:42:10 PM - System Checkpoint
RP228: 1/20/2011 12:05:14 AM - System Checkpoint
RP229: 1/21/2011 12:16:40 AM - System Checkpoint
RP230: 1/22/2011 1:15:58 AM - System Checkpoint
RP231: 1/23/2011 2:16:00 AM - System Checkpoint
RP232: 1/24/2011 3:16:06 AM - System Checkpoint
RP233: 1/25/2011 3:56:27 AM - System Checkpoint
RP234: 1/26/2011 8:54:51 PM - System Checkpoint
RP235: 1/31/2011 10:40:14 PM - System Checkpoint
RP236: 2/1/2011 11:05:39 PM - System Checkpoint
RP237: 2/5/2011 11:54:24 AM - Installed HiJackThis
RP238: 2/5/2011 3:19:24 PM - Removed EarthLink setup files
RP239: 2/5/2011 3:21:02 PM - Removed Musicmatch for Windows Media Player
RP240: 2/5/2011 3:21:43 PM - Removed NetZeroInstallers
RP241: 2/5/2011 3:22:34 PM - Removed Sound Blaster Audigy
RP242: 2/5/2011 3:22:57 PM - Configured Your Application Name
RP243: 2/5/2011 3:23:12 PM - Configured Your Application Name
RP244: 2/5/2011 3:23:28 PM - Configured Your Application Name
RP245: 2/5/2011 3:23:41 PM - Configured Your Application Name
RP246: 2/5/2011 3:26:16 PM - Removed Sonic Update Manager
RP247: 2/6/2011 1:13:34 PM - Installed Sound Blaster Audigy
RP248: 2/6/2011 1:13:55 PM - Installed Your Application Name
RP249: 2/6/2011 1:54:47 PM - Configured E-Center
RP250: 2/6/2011 1:52:34 PM - Installed Your Application Name
RP251: 2/6/2011 1:53:29 PM - Configured Your Application Name
RP252: 2/6/2011 1:53:57 PM - Installed Your Application Name
RP253: 2/6/2011 1:54:26 PM - Installed Your Application Name
RP254: 2/7/2011 9:04:05 PM - System Checkpoint
RP255: 2/8/2011 9:09:07 PM - System Checkpoint
RP256: 2/9/2011 10:25:05 PM - System Checkpoint
RP257: 2/10/2011 11:14:11 PM - System Checkpoint
RP258: 2/11/2011 11:42:33 PM - System Checkpoint
RP259: 2/13/2011 12:14:11 AM - System Checkpoint
RP260: 2/14/2011 12:15:35 AM - System Checkpoint
==== Installed Programs ======================
ABBYY FineReader 5.0 Sprint Plus
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 Plugin
Adobe Illustrator 10
Adobe Photoshop 7.0
Adobe Reader 6.0.1
Adobe SVG Viewer 3.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audible Download Manager
AVG Free 9.0
Banctec Service Agreement
Bonjour
Conexant D850 56K V.9x DFVc Modem
Creative MediaSource
Dell Driver Reset Tool
Dell Media Experience
Dell Photo AIO Printer 922
Dell Picture Studio v3.0
Dell System Restore
DellSupport
Digital Line Detect
Engine Installer
G5a922EN
Get High Speed Internet!
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iPod for Windows 2005-06-26
iTunes
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 16
Learn2 Player (Uninstall Only)
Macromedia Flash Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 Small Business
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Modem Helper
Mozilla Firefox (3.6.13)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Musicmatch® Jukebox
My Way Search Assistant
NetWaiting
PHOTOfunSTUDIO 4.0
PowerDVD 5.3
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Sonic DLA
Sonic RecordNow!
Sony USB Driver
Sound Blaster Live! 24-bit
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB925720)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)
Verizon Online
Verizon Online Support Center
Viewpoint Media Player
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
WordPerfect Office 12
==== Event Viewer Messages From Past Week ========
2/7/2011 8:10:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: MPFIREWL
2/14/2011 2:58:52 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 2:58:52 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 2:58:52 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 2:58:49 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 2:58:49 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
2/14/2011 2:58:49 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
==== End Of File ===========================