0

Hi. I am having some trouble with my computer. Here is a quick review of issues...About a month ago my McAfee AV kept getting turned off. I could not figure out what was wrong. Nothing was found on any scans. I removed McAfee and got AVG free edition. It stopped doing that and has been working fine since then. Two days ago, my internet started going haywire. When I search for anything, the results are redirected to bogus advertising websites. You can type the URL in the address bar or go through Favorites and it works fine but clicking on and results link redirects it. I have run AVG, SuperAntiSpyware, Windows Malicious Removal Tool and Malware. I ran AVG & SuperAntiSpyware this morning while in Safe Mode. AVG said it found a trojan horse Backdoor.Generic14.cbjj. It did not seems to remove it. It also found 4 viruses located in C:\Windows\Temp\kolfo...etc. SuperAntiSpyware found some cookies and registry keys affected. It said it removed them. AVG keeps popping up that a threat was found and the only option I have is to ignore it. Also, I noticed that I have my cookies under Internet Options set to med-high and it keeps getting changed to Accept all Cookies. So, here is what I have done and the results...

I ran Windows Malicious Removal Tool. It ran for almost 3 hours with a Full Scan and did not find anything.

I tried to run ATF Cleaner but it froze up and became unresponsive.

I ran GMER Rootkit scanner and was told "GMER has found system modification caused by rootkit activity." Here are the 2 logs

GMER One:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-12-11 13:11:46
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST316002 rev.8.05
Running: 67nlsd8e.exe; Driver: C:\DOCUME~1\Chris\LOCALS~1\Temp\pwlyapog.sys


---- System - GMER 1.0.15 ----

SSDT spjx.sys ZwEnumerateKey [0xB9ECDDA4]
SSDT spjx.sys ZwEnumerateValueKey [0xB9ECE132]

---- Devices - GMER 1.0.15 ----

Device \Driver\iaStor \Device\Ide\iaStor0 [B9DDA440] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9D96B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9D96B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [B9DDA440] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \FileSystem\Ntfs \Ntfs 8B0FE1F8

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Fastfat \Fat 8A1B21F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

and GMER Two:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-11 14:21:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST316002 rev.8.05
Running: 67nlsd8e.exe; Driver: C:\DOCUME~1\Chris\LOCALS~1\Temp\pwlyapog.sys


---- System - GMER 1.0.15 ----

SSDT spjx.sys ZwCreateKey [0xB9EB50E0]
SSDT spjx.sys ZwEnumerateKey [0xB9ECDDA4]
SSDT spjx.sys ZwEnumerateValueKey [0xB9ECE132]
SSDT spjx.sys ZwOpenKey [0xB9EB50C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xAFA77F3C]
SSDT spjx.sys ZwQueryKey [0xB9ECE20A]
SSDT spjx.sys ZwQueryValueKey [0xB9ECE08A]
SSDT spjx.sys ZwSetValueKey [0xB9ECE29C]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB101A640]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xAFA78080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xAFA7811C]

INT 0x62 ? 8B180BF8
INT 0x63 ? 8B113BF8
INT 0x74 ? 8AAF4BF8
INT 0x84 ? 8AAF4BF8
INT 0x94 ? 8AAF4BF8
INT 0xA4 ? 8AAF4BF8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B0FE1F8

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Fastfat \FatCdrom 8A1B21F8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-0 8AAF31F8
Device \Driver\usbuhci \Device\USBPDO-1 8AAF31F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B1141F8
Device \Driver\dmio \Device\DmControl\DmConfig 8B1141F8
Device \Driver\dmio \Device\DmControl\DmPnP 8B1141F8
Device \Driver\dmio \Device\DmControl\DmInfo 8B1141F8
Device \Driver\usbuhci \Device\USBPDO-2 8AAF31F8
Device \Driver\usbuhci \Device\USBPDO-3 8AAF31F8
Device \Driver\usbehci \Device\USBPDO-4 8AAC61F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8B1821F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{14166354-9FE3-4501-8186-4C84E5ED63D7} 8A3C2340
Device \Driver\Ftdisk \Device\HarddiskVolume2 8B1821F8
Device \Driver\Cdrom \Device\CdRom0 8AB55500
Device \Driver\iaStor \Device\Ide\iaStor0 [B9DDA440] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9D96B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9D96B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [B9DDA440] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume3 8B1821F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A3C2340
Device \Driver\NetBT \Device\NetbiosSmb 8A3C2340

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 8AAF31F8
Device \Driver\usbuhci \Device\USBFDO-1 8AAF31F8
Device \Driver\usbuhci \Device\USBFDO-2 8AAF31F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A2321F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A2321F8
Device \Driver\usbuhci \Device\USBFDO-3 8AAF31F8
Device \Driver\Ftdisk \Device\FtControl 8B1821F8
Device \Driver\usbehci \Device\USBFDO-4 8AAC61F8
Device \FileSystem\Fastfat \Fat 8A1B21F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs 8A1B1500
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) B1155000-B116C000 (94208 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SOFTWARE\Classes\CLSID\{4F24EEA3-C60E-F141-AB50-38A88B968AB9}\ExuexfuEtJelR@ [rWsmiPI~Tn[s_BxLlQqWVzr
Reg HKLM\SOFTWARE\Classes\CLSID\{4F24EEA3-C60E-F141-AB50-38A88B968AB9}\muuxjVfzUevL@ ZYiCjQZeH|OdbOI{sxNd_\nm_DT

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB22926$\1798836105 0 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501 0 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\bckfg.tmp 851 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\cfg.ini 207 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\keywords 309 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\L 0 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\L\myamqqou 75264 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\U 0 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB22926$\3633545501\U\80000032.@ 98304 bytes

---- EOF - GMER 1.0.15 ----


Then, I ran Malware Bytes. I was told that 4 items were found and repaired. Here is the mbam log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8351

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/11/2011 3:00:50 PM
mbam-log-2011-12-11 (15-00-50).txt

Scan type: Full scan (C:\|)
Objects scanned: 245031
Time elapsed: 35 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AH (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CLASSES_ROOT\ah\Content Type (Rogue.MultipleAV) -> Value: Content Type -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I restarted the computer and was going to do the DDS Scan and got the BSOD with Stop Code 0x0000000A (0x0000001C, 0x00000002, 0x00000001, 0x806E7A16). And had to restart a second time. I then ran the DDS scan and here are the two files:

DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Chris at 15:09:52 on 2011-12-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2683 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG PC Tuneup\BoostSpeed.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTHelper] CTHELPER.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
LSP: mswsock.dll
Trusted Zone: amazon.com
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://dcode.support.microsoft.com/dcode/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277386514515
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A021A215-6CDC-44B4-8C16-90491CED9605} - hxxp://www.worldwinner.com/games/v68/clue/clue.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{14166354-9FE3-4501-8186-4C84E5ED63D7} : DhcpNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S2 0274931321212619mcinstcleanup;McAfee Application Installer Cleanup (0274931321212619);c:\docume~1\chris\locals~1\temp\027493~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\chris\locals~1\temp\027493~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 CamdAudio;CamdAudio;c:\windows\system32\drivers\CamdAudio.sys [2010-2-11 23096]
S3 DrmCAudio;DrmCAudio;c:\windows\system32\drivers\DrmCAudio.sys [2010-2-11 23096]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-26 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-26 40552]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2010-2-11 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2010-2-11 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2010-2-11 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2010-2-11 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2010-2-11 25704]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-12-11 15:48:51 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-13 21:12:54 -------- d--h--w- C:\$AVG
2011-11-13 19:43:10 -------- d-----w- c:\documents and settings\chris\application data\AVG
2011-11-13 19:24:00 -------- d-----w- c:\documents and settings\chris\application data\AVG2012
2011-11-13 19:23:16 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-11-13 19:22:42 -------- d-----w- c:\windows\system32\drivers\AVG
2011-11-13 19:22:42 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-11-13 19:22:02 -------- d-----w- c:\program files\AVG
2011-11-13 19:14:23 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-11-12 21:08:45 -------- d-----w- c:\program files\Windows Resource Kits
2011-11-12 20:09:31 -------- d-----w- c:\documents and settings\chris\application data\McAFee TechCheck
2011-11-12 19:50:19 -------- d-----w- c:\documents and settings\chris\application data\TechCheck
2011-11-12 19:42:32 244416 ----a-w- c:\windows\system32\Msflxgrd.ocx
2011-11-12 19:42:32 209192 ----a-w- c:\windows\system32\TABCTL32.OCX
2011-11-12 19:42:32 203976 ----a-w- c:\windows\system32\RICHTX32.OCX
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 19:12:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-07 12:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 12:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 17:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 17:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 17:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 12:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
.
============= FINISH: 15:11:18.29 ===============

and Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/27/2007 5:42:31 PM
System Uptime: 12/11/2011 3:06:09 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0U7077
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 144 GiB total, 127.018 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_266E&SUBSYS_01771028&REV_03\3&172E68DD&0&F2
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_266E&SUBSYS_01771028&REV_03\3&172E68DD&0&F2
Service:
.
==== System Restore Points ===================
.
RP1: 11/13/2011 12:58:43 PM - System Checkpoint
RP2: 11/13/2011 1:22:01 PM - Installed AVG 2012
RP3: 11/13/2011 1:22:26 PM - Installed AVG 2012
RP4: 11/14/2011 2:33:45 PM - System Checkpoint
RP5: 11/15/2011 4:55:54 PM - System Checkpoint
RP6: 11/16/2011 5:02:59 PM - System Checkpoint
RP7: 11/17/2011 5:15:00 PM - System Checkpoint
RP8: 11/18/2011 6:55:21 PM - System Checkpoint
RP9: 11/19/2011 7:34:30 PM - System Checkpoint
RP10: 11/20/2011 8:47:22 PM - System Checkpoint
RP11: 11/21/2011 9:57:01 PM - System Checkpoint
RP12: 11/22/2011 10:13:52 PM - System Checkpoint
RP13: 11/23/2011 11:49:52 PM - System Checkpoint
RP14: 11/25/2011 12:02:51 AM - System Checkpoint
RP15: 11/26/2011 12:25:51 AM - System Checkpoint
RP16: 11/27/2011 1:00:49 AM - System Checkpoint
RP17: 11/28/2011 2:00:49 AM - System Checkpoint
RP18: 11/29/2011 3:00:49 AM - System Checkpoint
RP19: 11/30/2011 3:12:50 AM - System Checkpoint
RP20: 12/1/2011 3:59:20 AM - System Checkpoint
RP21: 12/2/2011 4:59:21 AM - System Checkpoint
RP22: 12/3/2011 5:59:21 AM - System Checkpoint
RP23: 12/4/2011 6:59:20 AM - System Checkpoint
RP24: 12/5/2011 9:00:32 AM - System Checkpoint
RP25: 12/6/2011 10:19:21 AM - System Checkpoint
RP26: 12/7/2011 10:51:13 AM - System Checkpoint
RP27: 12/8/2011 12:10:35 PM - System Checkpoint
RP28: 12/9/2011 12:45:23 PM - System Checkpoint
RP29: 12/9/2011 6:15:40 PM - AVG Regisry Defrag - before defragmentation
RP30: 12/9/2011 8:46:02 PM - Installed Microsoft Fix it 50195
RP31: 12/10/2011 11:34:24 PM - System Checkpoint
.
==== Installed Programs ======================
.
ABBYY FineReader 5.0 Sprint Plus
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.1)
Adobe SVG Viewer 3.0
AnswerWorks 4.0 Runtime - English
ATI Control Panel
ATI Display Driver
ATT-PRT22
AVG 2012
AVG PC Tuneup
Broadcom Advanced Control Suite 2
Canon Camera Access Library
CANON iMAGE GATEWAY MyCamera Download Plugin
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon Utilities CameraWindow DC 8
Canon Utilities CameraWindow Launcher
Canon Utilities MyCamera
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Creative MediaSource
Dell Driver Download Manager
Dell Driver Download Manager - 1
Dell Driver Reset Tool
Dell Networking Guide
Dell Photo AIO Printer 922
Dell Support
Dell System Restore
Download Updater (AOL LLC)
getPlus(R)_ocx
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Intel Application Accelerator
Intel(R) 537EP V9x DF PCI Modem
Internet Explorer Default Page
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 17
Lizardtech Express View Browser Plug-in
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Professional
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Modem Event Monitor
Modem Helper
Modem On Hold
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mystery Legends: Sleepy Hollow
Mystery P.I. The Curious Case of Counterfeit Cove
PowerDVD 5.3
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Sonic DLA
Sonic Encoders
Sonic RecordNow!
Sound Blaster Audigy 2 ZS
SUPERAntiSpyware
Unlocker 1.9.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
WebFldrs XP
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows Resource Kit Tools
Windows XP Service Pack 3
Yahoo! Browser Services
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
12/9/2011 9:08:07 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The system cannot find the file specified.
12/9/2011 9:08:07 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
12/9/2011 8:20:36 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/9/2011 8:19:31 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/9/2011 5:52:07 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'ipsec.sys' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
12/9/2011 5:39:52 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
12/9/2011 5:38:18 PM, error: Service Control Manager [7034] - The McciCMService service terminated unexpectedly. It has done this 1 time(s).
12/9/2011 5:38:18 PM, error: Service Control Manager [7034] - The IAA Event Monitor service terminated unexpectedly. It has done this 1 time(s).
12/9/2011 5:38:18 PM, error: Service Control Manager [7034] - The dlbt_device service terminated unexpectedly. It has done this 1 time(s).
12/9/2011 5:38:18 PM, error: Service Control Manager [7034] - The Canon Camera Access Library 8 service terminated unexpectedly. It has done this 1 time(s).
12/8/2011 3:39:06 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
12/8/2011 3:39:06 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Canon\ZoomBrowser EX\Program\MFC80U.DLL. Reference error message: The operation completed successfully. .
12/8/2011 3:39:06 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
12/11/2011 8:21:06 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
12/11/2011 8:09:38 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 Fips intelppm SASDIFSV SASKUTIL sptd
12/11/2011 8:08:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/11/2011 8:08:12 AM, error: sptd [4] - Driver detected an internal error in its data structures for .
12/11/2011 3:07:58 PM, error: System Error [1003] - Error code 1000000a, parameter1 0000001c, parameter2 00000002, parameter3 00000001, parameter4 806e7a16.
12/10/2011 8:59:19 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
.
==== End Of File ===========================


If anyone has any idea how to get rid of the Trojan Horse, please let me know. I am at a loss here. And any help is greatly appreciated.

2
Contributors
1
Reply
4
Views
6 Years
Discussion Span
Last Post by 07knev
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.