IE7 and Chrome redirect hijack

Newbie Poster

11 posts since Feb 2011

Reputation Points: 10

Solved Threads: 0

http://www.bleepingcomputer.com/download/anti-virus/rkill

0

Hi, welcome to daniweb. Right of the bat I can tell you that this AVG2011 is NOT really AVG it is a new fake removal program, masking itself as the AVG anti-virus program.

You need to follow these steps, given in depth at
http://www.bleepingcomputer.com/virus-removal/remove-avg-antivirus-2011

Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Once you get to the black DOS screen use your arrow keys to go to Safe Mode with Networking. Hit Enter to boot the computer to Safe Mode with Networking.
Once fully booted into Safe Mode with Networking you are going to have to end the processes that belong to AVG Antivirus 2011 and clean up some Registry settings so they do not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.

(Download page will open in a new tab or browser window.)

When at the download page, scroll down and click on the click on the link labeled eXplorer.exe download link. When you are prompted where to save it, please save it on your desktop.

Once it is downloaded, double-click on the eXplorer.exe icon in order to automatically attempt to stop any processes associated with AVG Antivirus 2011 and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by AVG Antivirus 2011 when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate AVG Antivirus 2011 . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.

http://www.bleepingcomputer.com/download/anti-virus/rkill

Do not reboot your computer after running RKill as the malware programs will start again.

Next Update MBA-M and run a Full Scan with it, allow it to Remove Everything found.
When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

Once the computer reboots to normal mode please again update MBA-M and run another Full Scan with it. If other files are found please have the program Remove them, Reboot again.

Next follow the instruction on our Read Me sticky for downloading and running the DDS Scanner.

http://www.daniweb.com/forums/thread134865.html

After you have done that come back here and post the new MBA-M logs and both logs from the DDS scanner. Note, on of those logs, Attach.txt will tell you to Attach that log, please don't do that, please also copy/paste that log back here along with the others.

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

0

Dear jholland1964,

Thank you for your reply, I am quite sure the version of AVG I have installed is the genuine version, I installed it myself just yesterday from my memory stick.

Much of your very detailed (thank you) post does appear to be based upon the assumption that AVG is the fake one. Based on the hijack this log and other logs I provided is there something I should be running or trying to remove manually.

Cheers

James

Newbie Poster

11 posts since Feb 2011

Reputation Points: 10

Solved Threads: 0

0

Those steps I have given you are the same preliminary steps given for any and all fake alert/redirect infection, both of which you appear to have on the computer.

You may have run other steps, but you posted no other logs, other than the GMER log

Our Read Me Sticky very clearly asks each poster to run the following programs and post the logs:
GMER, which you have done; MBA-M which you say you ran but posted no logs from it, DDS Scanner evidently not run so no logs posted. All of those tools and their logs are vitally important for us to see so that we can decide what other tools need to be run. Whether your AVG2011 is the real thing or not makes no difference, even the legitimate AVG 2011 would NOT remove this type of infection and certainly would not remove a rootkit, which clearly shows in your GMER log.

You said you posted a HJT log, you did not. You may have thought you did, but it is not on this thread. But that said, if you noted in our Read Me sticky we don't ask for a HiJackThis log in the preliminary stages anymore because it does not show enough to make a judgement on these new infections, they rarely show in the HJT log anymore.

We "may" request it's use at a later time after all other steps are run but many times today that is never requested.

As I said, GMER clearly shows a rootkit on the computer. These can not be removed manually.

The steps given you are the standard steps given for any fake scanner infection and which your browser redirects show very likely is still on the computer.

I have no idea what you mean when you say this:
I was not able to download one of them as the bleepingcomputer website where the file is located is down.
Why would this LOG be at bleepingcomputer? Any tools run using the steps in our Read Me sticky produce logs ON your computer, not another website.

The only tool we request in our Read Me Sticky from bleepingcomputer is the DDS scanner and by clicking on DDS Scanner in our Read Me Sticky you would have automatically received the executable for that program, not taken to bleepingcomputer.

Since you don't wish to follow those steps then I say that of course is your choice.

I have no manual removal steps because rootkits are nearly impossible to remove manually but since you don't want to follow steps given here then I would advise you to try another forum for assistance.
Sorry.
Judy

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

0

Judy,

I appreciate that the help provided in this forum is free provided by volunteers, but I am not intentionally not following steps.

As you will see from the very bottom of my first post, it says 'Hijack this' in bold where I had pasted in the logs, I also posted the Malware Bytes log. The post was cut off for some reason, do you know if there is a post length limit.

My reference to bleeping computer being unavailable was that I couldn't download the installation file for DDS, as bleeping computer was not available when I read the sticky (at least to me), I wasn't suggesting that I would need to download a log from their website.

I am sorry that I tried to post the HJT log, this was standard procedure in previous forums I have posted on, so it was my first step before came across Daniweb and read the sticky.

I will now try to post the remaining logs including the DDS log.

James

DDS

DDS (Ver_10-12-12.02) - NTFSx86
Run by Helena Evans at 11:14:51.32 on 07/02/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.522 [GMT 0:00]

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
F:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SmileboxTray] "c:\documents and settings\helena evans\application data\smilebox\SmileboxTray.exe"
uRun: [Google Update] "c:\documents and settings\helena evans\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: []
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [\\d6z58c1j\EPSON Stylus Photo RX420 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fati9ce.exe /p42 "\\d6z58c1j\EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
mRun: [Auto EPSON Stylus Photo RX420 Series on d6z58c1j] c:\windows\system32\spool\drivers\w32x86\3\e_fati9ce.exe /p48 "auto epson stylus photo rx420 series on d6z58c1j" /o16 "\\d6z58c1j\EPSON" /M "Stylus Photo RX420"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DataCardMonitor] c:\program files\t-mobile\web'n'walk manager\DataCardMonitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: google.com \picasaweb
Trusted Zone: plaxo.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} - hxxps://www.plaxo.com/activex/plx_upldr-2k-xp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mtroyveb.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\helena~1\applic~1\mozilla\firefox\profiles\k5mpike9.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\helena evans\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npdeploytk.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npnul32.dll
FF - plugin: c:\progra~1\mozill~1\plugins\NPOFFICE.DLL
FF - plugin: c:\progra~1\mozill~1\plugins\nppdf32.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin2.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin3.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin4.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin5.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin6.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin7.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npsnapfish.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email]jqs@sun.com[/email] - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2007-4-5 3456]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-8-27 587096]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-2-3 517448]

=============== Created Last 30 ================

2011-02-03 21:51:04 -------- d-----w- c:\docume~1\helena~1\applic~1\AVG10
2011-02-03 21:50:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2011-02-03 21:48:57 -------- d-----w- c:\windows\system32\drivers\AVG
2011-02-03 17:37:11 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-02-03 17:25:00 -------- d-----w- C:\Adobe
2011-02-03 17:06:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-02-03 17:05:55 -------- d--h--w- C:\$AVG
2011-02-03 16:24:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-02-03 14:57:44 -------- d-----w- c:\docume~1\helena~1\applic~1\Malwarebytes
2011-02-03 14:56:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-03 14:56:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-03 14:56:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-03 14:56:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-31 16:23:07 0 ----a-w- c:\windows\system32\tmp.tmp
2011-01-31 16:23:06 47616 ----a-w- c:\windows\system32\mtroyveb.dll
2011-01-30 19:39:04 -------- d-----w- c:\docume~1\helena~1\applic~1\CCA89E87AB05CB6824B343F10FC0647E

==================== Find3M ====================

2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200BEVT-00ZAT0 rev.01.01A01 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A4AB59F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4b17b0]; MOV EAX, [0x8a4b182c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A4C8AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A4D1250]
\Driver\atapi[0x8A476780] -> IRP_MJ_CREATE -> 0x8A4AB59F
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-3 -> \??\IDE#DiskWDC_WD3200BEVT-00ZAT0___________________01.01A01#5&24cbc6ab&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A4AB3E5
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 11:17:13.78 ===============

DDS Attach

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 05/04/2007 13:11:55
System Uptime: 04/02/2011 20:55:01 (63 hours ago)

Motherboard: Dell Inc. | | 0UW744
Processor: AMD Turion(tm) 64 Mobile Technology MK-36 | Socket M2/S1G1 | 1595/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 288 GiB total, 205.097 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 6.799 GiB free.
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01F51028&REV_01\4&B216F0A&0&09A4
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01F51028&REV_01\4&B216F0A&0&09A4
Service:

==== System Restore Points ===================

RP1: 31/01/2011 18:49:58 - System Checkpoint
RP2: 01/02/2011 19:06:08 - System Checkpoint
RP3: 02/02/2011 19:53:35 - System Checkpoint
RP4: 03/02/2011 17:19:54 - Removed Roxio Update Manager
RP5: 03/02/2011 17:35:07 - Installed AVG 2011
RP6: 03/02/2011 17:38:02 - Installed AVG 2011
RP7: 03/02/2011 17:38:08 - Removed AVG 2011
RP8: 04/02/2011 09:28:09 - Software Distribution Service 3.0
RP9: 05/02/2011 10:06:56 - System Checkpoint
RP10: 06/02/2011 12:03:41 - System Checkpoint

==== Installed Programs ======================

AC3Filter (remove only)
Ad-Aware 2007
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
AMD Processor Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Artisan DVD/DivX Player
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG 2011
Bonjour
Bookworm Deluxe 1.13
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
Conexant HDA D110 MDC V.92 Modem
CutePDF Writer 2.7
Dell Wireless WLAN Card
EPE Non-Verbal Reasoning Volume 1
ffdshow (remove only)
Google Chrome
Google Earth
High Definition Audio Driver Package - KB835221
Highlight Viewer (Windows Live Toolbar)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Huawei Modems
iTunes
Java(TM) 6 Update 17
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.0.15)
Mozilla Thunderbird (3.0)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Peggle Deluxe
Picasa 3
Play DVD v1.1
QuickTime
RM Maths Learning System (Remove only)
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
Smart Menus (Windows Live Toolbar)
Smilebox
Sonic Activation Module
Synaptics Pointing Device Driver
SyncBack
The Tutors Maths Volume 1
The Tutors Verbal Reasoning Beginner
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
web'n'walk Manager
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Media Format Runtime
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

04/02/2011 10:36:43, error: atapi [9] - The device, \Device\Ide\IdePort2, did not respond within the timeout period.
04/02/2011 09:32:05, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.
03/02/2011 21:45:23, error: Service Control Manager [7003] - The AVGIDSAgent service depends on the following nonexistent service: AVGIDSDriver
03/02/2011 18:31:42, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
03/02/2011 17:37:18, error: Service Control Manager [7000] - The AVG WatchDog service failed to start due to the following error: Access is denied.
03/02/2011 16:58:50, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
03/02/2011 16:58:01, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
03/02/2011 16:56:08, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
03/02/2011 16:56:06, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 AvgLdx86 AvgMfx86 Fips
03/02/2011 16:19:44, error: ati2mtag [43015] - I2c return failed
03/02/2011 16:19:37, error: ati2mtag [43016] - Not an EDID device
03/02/2011 14:57:49, error: Dhcp [1002] - The IP address lease 192.168.1.10 for the Network Card with network address 0019B954679E has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

MBAM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5668

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

03/02/2011 21:24:37
mbam-log-2011-02-03 (21-24-37).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 309210
Time elapsed: 2 hour(s), 12 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*bridgedbgpage.exe (Trojan.FakeAlert) -> Value: *bridgedbgpage.exe -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\simc124mods.exe (Trojan.FakeAlert) -> Value: simc124mods.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\bridgedbgpage.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\cca89e87ab05cb6824b343f10fc0647e\simc124mods.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\jar_cache1115493462696655049.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\0.5402729062361002.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\0.899807648033471.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

End of Logs

Newbie Poster

11 posts since Feb 2011

Reputation Points: 10

Solved Threads: 0

http://www.bleepingcomputer.com/download/anti-virus/combofix

0

Ok fair enough, let's chalk this up to misunderstandings on both sides and get this computer cleaned.

First of all concerning the lack of the HJT log. Think that was just a glitch because as you see with this post, which is much longer than your original, there is no size limit and the HJT log should have easily been contained in your first post. It may be your paste just didn't paste. So always Preview your post BEFORE posting by clicking the Preview Post button and before you hit the Submit Post button so that if something doesn't show as it should you can fix it. Then also be sure to read through your post after hitting Submit and before leaving so that if something doesn't look right or post right you can click Edit and go back and fix it.

I WILL want to see a new one, but later, after all some other tools are run.

Now a question, you said you ran AVG 2011, which shows as installed on your computer however, in your DDS log it is not AVG 2011 showing as running but AVG 2010 so are you 100% certain that it is AVG 2011? You said you installed it from a Memory Stick. I would recommend you scan that file on the stick with MBA-M

Your DDS scan clearly shows a rootkit on there so you need to run this tool:

Please read carefully and follow these steps.

* Download TDSSKiller and save it to your Desktop.
* Extract its contents to your desktop.
* Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

* If an infected file is detected, the default action will be Cure, click on Continue.

* If a suspicious file is detected, the default action will be Skip, click on Continue.

* It may ask you to reboot the computer to complete the process. Click on Reboot Now.

* If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
* If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Next please to the following:

Please download ComboFix by sUBs from

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..
• Then post back here with that log and a new scan log from HiJackThis.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Judy

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

0

Judy,

Thank you for your reply.

I have run the TDSSKiller and it did indeed find an infection and offere to cure it with a restart, which I did.

I have tried to disable AVG2011 (see screen shot links for confirmation of genuine software), but you can only disable components. I thought disabling the resident shield which is the only file access monitoring feature would be sufficient, however when run, combofix states AVG must be uninstalled. Is, in your opinion, it still necessary to run combo fix. Certainly the redirect issue has been resolved by TDSSKiller and as I stated in my original post, all other fake alerts were removed with AVG 2011 and Malware Bytes before I posted.

Please find below the HJT log as requested.

James

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:49:49, on 07/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17093)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
F:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [\\d6z58c1j\EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P42 "\\d6z58c1j\EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo RX420 Series on d6z58c1j] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P48 "Auto EPSON Stylus Photo RX420 Series on d6z58c1j" /O16 "\\D6Z58C1J\EPSON" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DataCardMonitor] C:\Program Files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Helena Evans\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Helena Evans\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [upd_debug.exe] "C:\Documents and Settings\Helena Evans\Application Data\CCA89E87AB05CB6824B343F10FC0647E\upd_debug.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [msgeditcat.exe] "C:\Documents and Settings\LocalService\Application Data\msgeditcat.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [bridgedbgpage.exe] "C:\Program Files\bridgedbgpage.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dll
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10642 bytes

Newbie Poster

11 posts since Feb 2011

Reputation Points: 10

Solved Threads: 0

0

Sorry, here are the images:
http://img833.imageshack.us/i/avg1.jpg/
http://img27.imageshack.us/i/avg2n.jpg/

James

Newbie Poster

11 posts since Feb 2011

Reputation Points: 10

Solved Threads: 0

0

Yes, absolutely Combofix must be run. Yes, Uninstall AVG. It frankly is not even ranked in the top 15 of good anti-virus programs anymore and would advise against using it.

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

0

Ok, I am uninstalling it now.

What does Combofix do that it needs anti-virus to be uninstalled?

What free or otherwise antivirus program would you reccomend, possibly you could tell me who the authority on ranking anti virus applications is that has ranked AVG outside of the top 15.

Will you want a new HJT log after combofix has run.

James

Yes, absolutely Combofix must be run. Yes, Uninstall AVG. It frankly is not even ranked in the top 15 of good anti-virus programs anymore and would advise against using it.

Newbie Poster

11 posts since Feb 2011

Reputation Points: 10

Solved Threads: 0

http://www.av-comparatives.org/comparativesreviews/summary-reports

0

The anti-virus program needs to be disabled because it may interfere with the proper running of ComboFix. Yours must be uninstalled because you couldn't get it to disable or turn off. There are many instances when an anti-virus program needs to be turned off because it may interfere or stop a program update, certain operating systems updates may be one of these times, removing deep infections such as a rootkit infection may be another.

The anti-virus ranking report I use is this one and the "not in top 15" comment refereed to the test results posted in December. I had not yet read the most recent tests rank it higher but not nearly as high as some others. AVG just does not offer the protection that other programs do and I have helped clean more machines running AVG than others in the past year. Second one I found much of the time on infected machines was McAfee in case you are wondering.

My personal recommendation for a good free av program is Avira. It consistently scores quite high in all of these tests. It offers excellent protection, I have used it myself for nearly three years.

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

0

Judy,

Here is the log file of combofix.

Cheers

James

ComboFix 11-02-06.02 - Helena Evans 07/02/2011 16:10:34.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1531 [GMT 0:00]
Running from: F:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Helena Evans\Application Data\Adobe\plugs
c:\documents and settings\Helena Evans\Application Data\CCA89E87AB05CB6824B343F10FC0647E
c:\documents and settings\Helena Evans\Application Data\CCA89E87AB05CB6824B343F10FC0647E\enemies-names.txt
c:\documents and settings\Helena Evans\Application Data\CCA89E87AB05CB6824B343F10FC0647E\local.ini
c:\documents and settings\Helena Evans\Application Data\CCA89E87AB05CB6824B343F10FC0647E\lsrslt.ini
c:\documents and settings\Helena Evans\Recent\Thumbs.db
c:\documents and settings\NetworkService\Application Data\CCA89E87AB05CB6824B343F10FC0647E
c:\documents and settings\NetworkService\Application Data\CCA89E87AB05CB6824B343F10FC0647E\enemies-names.txt
c:\documents and settings\NetworkService\Application Data\CCA89E87AB05CB6824B343F10FC0647E\local.ini
c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.exe
c:\windows\system32\tmp.tmp . . . . Failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Service_usnjsvc

((((((((((((((((((((((((( Files Created from 2011-01-07 to 2011-02-07 )))))))))))))))))))))))))))))))
.

2011-02-07 16:21 . 2011-02-07 16:21 0 ----a-w- c:\windows\system32\tmp.tmp
2011-02-03 21:51 . 2011-02-03 21:51 -------- d-----w- c:\documents and settings\Helena Evans\Application Data\AVG10
2011-02-03 17:37 . 2011-02-03 17:37 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-02-03 17:25 . 2011-02-03 17:25 -------- d-----w- C:\Adobe
2011-02-03 17:06 . 2011-02-07 15:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-02-03 17:05 . 2011-02-03 17:05 -------- d-----w- C:\$AVG
2011-02-03 16:24 . 2011-02-03 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-02-03 14:57 . 2011-02-03 14:57 -------- d-----w- c:\documents and settings\Helena Evans\Application Data\Malwarebytes
2011-02-03 14:56 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-03 14:56 . 2011-02-03 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-03 14:56 . 2011-02-03 14:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-03 14:56 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-02 20:48 . 2011-02-02 20:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-31 16:23 . 2011-01-31 16:23 47616 ----a-w- c:\windows\system32\mtroyveb.dll
2011-01-31 03:45 . 2011-01-31 03:45 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ATI
2011-01-31 03:45 . 2011-01-31 03:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\ATI
2011-01-26 18:27 . 2011-01-26 18:27 -------- d-----w- c:\documents and settings\Pippa\Local Settings\Application Data\Google
2011-01-09 14:22 . 2011-01-09 14:22 -------- d-----w- c:\documents and settings\Hannah\Application Data\ATI
2011-01-09 14:22 . 2011-01-09 14:22 -------- d-----w- c:\documents and settings\Hannah\Local Settings\Application Data\ATI
2011-01-09 14:22 . 2011-01-30 10:28 -------- d-----w- c:\documents and settings\Hannah\Local Settings\Application Data\ApplicationHistory

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-18 18:12 . 2007-04-05 12:07 81920 ----a-w- c:\windows\system32\isign32.dll
.

<pre>

c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe

c:\program files\ATI Technologies\ATI.ACE\CLIStart .exe

c:\program files\AVG\AVG8\avgtray .exe

c:\program files\Common Files\InstallShield\UpdateService\issch .exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe

c:\program files\iTunes\iTunesHelper .exe

c:\program files\Java\jre6\bin\jusched .exe

c:\program files\QuickTime\qttask .exe

c:\program files\Roxio\Drag-to-Disc\DrgToDsc .exe

c:\program files\Synaptics\SynTP\SynTPEnh .exe

c:\program files\T-Mobile\web'n'walk Manager\DataCardMonitor .exe

</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [N/A]
"SmileboxTray"="c:\documents and settings\Helena Evans\Application Data\Smilebox\SmileboxTray.exe" [2011-01-22 312640]
"Google Update"="c:\documents and settings\Helena Evans\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-20 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2007-03-16 1392640]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [N/A]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [N/A]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [N/A]
"\\d6z58c1j\EPSON Stylus Photo RX420 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [N/A]
"Auto EPSON Stylus Photo RX420 Series on d6z58c1j"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [N/A]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [N/A]
"DataCardMonitor"="c:\program files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mtroyveb.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\WINDOWS\\LMI22.tmp\\lmi_rescue.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [05/04/2007 13:50 3456]
.
Contents of the 'Scheduled Tasks' folder

2011-02-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2011-02-07 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2011-02-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1336601894-725345543-1003Core.job
- c:\documents and settings\Helena Evans\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-20 21:24]

2011-02-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1336601894-725345543-1003UA.job
- c:\documents and settings\Helena Evans\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-20 21:24]

2011-02-06 c:\windows\Tasks\SyncBack REGULAR BACKUP.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-06-19 11:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: google.com \picasaweb
Trusted Zone: plaxo.com\www
FF - ProfilePath - c:\documents and settings\Helena Evans\Application Data\Mozilla\Firefox\Profiles\k5mpike9.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email]jqs@sun.com[/email] - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-Eleven Plus Exams The Tutors Maths Volume 1_is1 - c:\documents and settings\All Users\Desktop\ElevenPlusExams\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-07 16:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DataCardMonitor = c:\program files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe?rs\CancelAutoplay\CLSID?CESSORS?? ?X???????@?=?????V???SOFTWARE\Microsoft\Windows\CurrentVersion\Run?32 ???/???????OCUME~1\HELENA~1\LOCALS~1\Temp\DataCardPM32.tmp?Files\Common Files\R?? ?%??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY*]
"DisplayName"="?\11\09"
"DeviceDesc"="?\11\09"
"ProviderName"="?\16?\11?\17?\11??"
"MFG"="???"
"ReinstallString"=".10.1000.7"
"DeviceInstanceIds"=multi:"c:\\dell\\drivers\\r134875\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1072)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
.
**************************************************************************
.
Completion time: 2011-02-07 16:30:12 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-07 16:29

Pre-Run: 220,523,106,304 bytes free
Post-Run: 221,591,515,136 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - E7DE8DC0AFC09039C660DBBBE3E3151F

The anti-virus program needs to be disabled because it may interfere with the proper running of ComboFix. Yours must be uninstalled because you couldn't get it to disable or turn off. There are many instances when an anti-virus program needs to be turned off because it may interfere or stop a program update, certain operating systems updates may be one of these times, removing deep infections such as a rootkit infection may be another.

The anti-virus ranking report I use is this one and the "not in top 15" comment refereed to the test results posted in December. I had not yet read the most recent tests rank it higher but not nearly as high as some others. AVG just does not offer the protection that other programs do and I have helped clean more machines running AVG than others in the past year. Second one I found much of the time on infected machines was McAfee in case you are wondering.

http://www.av-comparatives.org/comparativesreviews/summary-reports

My personal recommendation for a good free av program is Avira. It consistently scores quite high in all of these tests. It offers excellent protection, I have used it myself for nearly three years.

Newbie Poster

11 posts since Feb 2011

Reputation Points: 10

Solved Threads: 0

0

Well with the deletions shown in the log this certainly tells us that combofix was an absolute necessity. Let me get back with you soon on the next required steps, I need to confer with others on this.

Judy

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

0

Make sure to use Internet Explorer for this

Please go to VirSCAN.org FREE on-line scan service

Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

c:\windows\system32\mtroyveb.dll

If copy/paste does not work, you will have to browse to the file.

Click on the Upload button

If a pop-up appears saying the file has been scanned already, please select the ReScan button.

Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.

Paste the contents of the Clipboard in your next reply.

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

0

Judy FYI.

VirSCAN.org Scanned Report :
Scanned time : 2011/02/08 23:48:21 (CST)
Scanner results: 30% Scanner(s) (11/37) found malware!
File Name : mtroyveb.dll
File Size : 47616 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 9d1d7ea7784a73d67819a97d856a0f7e
SHA1 : 532e6dac1cf2aa84eb9ef3621e3291c9cd2929f8
Online report : http://virscan.org/report/412b7378dcd6e2a17d5f78784a199d03.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.2 20110203090724 2011-02-03 0.08 -
AhnLab V3 2011.02.09.00 2011.02.09 2011-02-09 0.08 -
AntiVir 8.2.4.162 7.11.2.102 2011-02-08 0.29 TR/Kazy.10323
Antiy 2.0.18 2.0.18. 0002-18-00 0.02 -
Arcavir 2010 201102082307 2011-02-08 0.14 -
Authentium 5.1.1 201102081150 2011-02-08 1.64 -
AVAST! 4.7.4 110207-0 2011-02-07 0.01 Win32:Kryptik-ABU [Trj]
AVG 8.5.850 271.1.1/3430 2011-02-08 0.68 -
BitDefender 7.90123.6722434 7.36142 2011-02-08 6.39 Gen:Variant.Kazy.10323
ClamAV 0.96.5 12642 2011-02-08 0.10 -
Comodo 4.0 7618 2011-02-08 0.08 -
CP Secure 1.3.0.5 2011.02.08 2011-02-08 0.12 -
Dr.Web 5.0.2.3300 2011.02.08 2011-02-08 10.89 Trojan.DownLoader1.27910
F-Prot 4.4.4.56 20110208 2011-02-08 1.63 -
F-Secure 7.02.73807 2011.02.08.02 2011-02-08 0.19 IM-Worm.Win32.Yahos.om [AVP]
Fortinet 4.2.254 12.873 2011-02-07 0.08 -
GData 21.1746/21.674 20110208 2011-02-08 0.09 -
ViRobot 20110208 2011.02.08 2011-02-08 0.09 -
Ikarus T3.1.32.15.0 2011.02.08.77690 2011-02-08 4.95 Trojan.Win32.Spyeye
JiangMin 13.0.900 2011.02.08 2011-02-08 0.08 -
Kaspersky 5.5.10 2011.02.08 2011-02-08 0.13 IM-Worm.Win32.Yahos.om
KingSoft 2009.2.5.15 2011.2.8.11 2011-02-08 0.08 -
McAfee 5400.1158 6250 2011-02-07 7.20 Generic.dx!vrr
Microsoft 1.6502 2011.02.08 2011-02-08 0.08 -
NOD32 3.0.21 5856 2011-02-08 0.12 a variant of Win32/Kryptik.KGQ trojan
Norman 6.06.12 6.06.00 2011-01-18 14.02 -
Panda 9.05.01 2011.02.08 2011-02-08 0.09 -
Trend Micro 9.200-1012 7.822.11 2011-02-08 0.17 -
Quick Heal 11.00 2011.02.08 2011-02-08 0.10 -
Rising 20.0 23.44.01.06 2011-02-08 0.09 -
Sophos 3.16.1 4.62 2011-02-08 3.76 -
Sunbelt 3.9.2474.2 8348 2011-02-08 0.09 -
Symantec 1.3.0.24 20110207.002 2011-02-07 0.09 Trojan.Gen.2
nProtect 20110207.01 3130962 2011-02-07 0.08 -
The Hacker 6.7.0.1 v00126 2011-02-08 0.08 -
VBA32 3.12.14.3 20110208.1209 2011-02-08 3.35 IMWorm.Yahos.om
VirusBuster 5.2.0.28 13.6.189.0/44573142011-02-08 0.00 -

Newbie Poster

11 posts since Feb 2011

Reputation Points: 10

Solved Threads: 0

0

· Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
· Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

KillAll:: c:\windows\system32\tmp.tmp c:\windows\system32\mtroyveb.dll RENV:: c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe c:\program files\ATI Technologies\ATI.ACE\CLIStart .exe c:\program files\AVG\AVG8\avgtray .exe c:\program files\Common Files\InstallShield\UpdateService\issch .exe c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe c:\program files\iTunes\iTunesHelper .exe c:\program files\Java\jre6\bin\jusched .exe c:\program files\QuickTime\qttask .exe c:\program files\Roxio\Drag-to-Disc\DrgToDsc .exe c:\program files\Synaptics\SynTP\SynTPEnh .exe c:\program files\T-Mobile\web'n'walk Manager\DataCardMonitor .exe

· Save the above asCFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
· At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
· You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
· Now use your mouse to drag CFscript.txt on top of ComboFix.exe
· Follow the prompts.
· When it finishes, a log will be produced named c:\combofix.txt
Please post back with that log.

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340