Google Redirect, Probably a Rootkit Issue

[FreeFal311]

Hi,
I'm in need of help. I recently suffered a malware attack, and I think it left me with a rootkit that is hijacking IE and redirecting all of my Google search links. I've run 5 different anti-virus/anti-malware programs exhaustively, and they are all returning clean at this point. The programs I have run include,

1. Spybot Search and Destroy
2. Malwarebytes Anti-Malware
3. SuperAnti-Spyware
4. Adaware SE
5. AVG Free

I believe all are up to date (or close). At this point, my system appears stable, except that as soon as I open IE and begin browsing, my searches are redirected, and my system is reinfested with all sorts of malware that the programs above detect all over again. I've seen files such as protect.dll, autochk.dll, ChkDsk.dll, srda64.exe, /lowsec in my system32 folder, user32.ds (which I believe is a stolen data file?), etc. At one point, immediately after infection, I experienced a proliferation of random 456637823.EXE processes in task manager. I think my rundll32.exe file even showed up as a virus during an AVG scan. I deleted this file, replaced it with a copy from my Service Pack folders, and am currently experiencing no instability. Like I said, I think I've cleaned up many of these issues with my anti-virus and anti-malware programs alone. But, I'm certain I have a low-level rootkit that is mantaining some degree of control over my system, and at this point, I could really use ya'lls help removing it. My system is currently unplugged from my router, and I won't dare hook it up again or launch IE until ya'll give me the "all ok." I'm opperating from a laptop and have a USB key to transfer files/utilities.

Also note, I am able to use FireFox. It doesn't appear that FireFox has been hijacked.

The contents of my DDS file are as follows,


DDS (Ver_09-03-16.01) - NTFSx86
Run by Matthew at 13:08:11.07 on Wed 04/29/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.486 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\AVG8\avgrsx.exe
C:\AVG8\avgnsx.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\AVG8\avgemc.exe
C:\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\MXOALDR.EXE
C:\Maxtor\OneTouch\Utils\OneTouch.exe
C:\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\AVG8\avgtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matthew\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\quicktime\qttask.exe" -atboottime
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~1\mimboot.exe
mRun: [MaxtorOneTouch] c:\maxtor\onetouch\utils\OneTouch.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [iTunesHelper] "c:\itunes\iTunesHelper.exe"
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [AVG8_TRAY] c:\avg8\avgtray.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187475355340
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187476362093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} - hxxp://www.instantaction.com/download/iaplayer.cab
Filter: text/html - {e1475f08-2194-4545-8903-a49a49772d53} - c:\windows\system32\
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\avg8\avgpp.dll
Notify: !SASWinLogon - c:\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matthew\applic~1\mozilla\firefox\profiles\1avju18g.default\
FF - component: c:\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-18 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-11-11 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-18 108552]
R1 SASDIFSV;SASDIFSV;c:\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\avg8\avgemc.exe [2009-4-18 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\avg8\avgwdsvc.exe [2009-4-18 298264]
S2 qkpwczbr;Logical Disk Manager Monitor;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 14336]
S3 SASENUM;SASENUM;c:\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-04-29 11:29 33,280 a------- c:\windows\system32\rundll32.exe
2009-04-29 11:29 33,280 a------- c:\windows\system32\dllcache\rundll32.exe
2009-04-29 11:23 69,632 a------- c:\windows\system32\dllcache\umaxu12.dll
2009-04-29 11:22 57,856 a------- c:\windows\system32\dllcache\EXCH_scripto.dll
2009-04-29 11:21 132,695 a------- c:\windows\system32\dllcache\netwlan5.sys
2009-04-29 11:20 18,432 a------- c:\windows\system32\dllcache\jupiw.dll
2009-04-29 11:19 43,520 a------- c:\windows\system32\dllcache\EXCH_fcachdll.dll
2009-04-29 11:18 248,064 a------- c:\windows\system32\dllcache\cl546xm.sys
2009-04-29 11:17 382,592 a------- c:\windows\system32\dllcache\atidrab.dll
2009-04-28 11:36 43,136 a------- c:\windows\system32\drivers\sbp2port.sys
2009-04-28 11:36 43,136 a------- c:\windows\system32\dllcache\sbp2port.sys
2009-04-28 00:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-28 00:21 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-27 23:29 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 22:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-27 22:36 <DIR> --d----- C:\SUPERAntiSpyware
2009-04-27 22:36 <DIR> --d----- c:\docume~1\matthew\applic~1\SUPERAntiSpyware.com
2009-04-27 21:44 388,608 a------- c:\windows\system32\CF24344.exe
2009-04-27 21:44 <DIR> --d----- C:\ComboFix
2009-04-27 20:27 <DIR> --d----- c:\docume~1\matthew\applic~1\Malwarebytes
2009-04-27 20:27 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-27 20:27 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 20:27 <DIR> --d----- C:\Malwarebytes' Anti-Malware
2009-04-27 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-26 21:46 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-26 20:23 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-04-26 20:23 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-26 20:23 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-04-26 20:23 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-26 18:59 <DIR> --d----- c:\windows\ERUNT
2009-04-26 18:53 <DIR> --d----- C:\SDFix
2009-04-18 15:16 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-18 13:09 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-18 13:09 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-18 13:09 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-18 13:09 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-18 13:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-18 13:08 <DIR> --d----- C:\AVG8

==================== Find3M ====================

2009-04-03 18:18 189,072 a------- c:\windows\system32\PnkBstrB.exe
2009-04-03 18:12 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-27 22:28 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-03-21 09:18 986,112 a------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 09:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-06 09:44 283,648 a------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 23:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 05:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 00:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 05:20 723,456 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:20 723,456 a------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 05:20 399,360 a------- c:\windows\system32\rpcss.dll
2009-02-09 05:20 399,360 a------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 05:20 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:20 714,752 a------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 05:20 616,960 a------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 05:20 616,960 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:20 473,088 a------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 05:20 453,120 a------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\dllcache\win32k.sys
2009-02-06 12:24 2,180,480 a------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 12:22 2,136,064 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 12:22 2,136,064 a------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 12:14 110,592 a------- c:\windows\system32\services.exe
2009-02-06 12:14 110,592 a------- c:\windows\system32\dllcache\services.exe
2009-02-06 11:54 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 11:54 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-02-06 11:49 2,057,728 a------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 11:49 2,015,744 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:49 2,015,744 a------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 11:39 227,840 a------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 15:08 55,808 a------- c:\windows\system32\secur32.dll
2009-02-03 15:08 55,808 a------- c:\windows\system32\dllcache\secur32.dll
2007-11-18 20:24 22,328 a------- c:\docume~1\matthew\applic~1\PnkBstrK.sys
2007-08-17 19:20 246 a------- c:\program files\common files\lavu
2007-08-17 18:37 6,473 ---sh--- c:\windows\system32\ybeeg.bak1

============= FINISH: 13:08:35.40 ===============

Thanks in advance for your help!

[tetonbob]

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Since the machine is disconnected, and you have means to transfer tools, please use these instructions. You can view this webpage also,

http://www.bleepingcomputer.com/comb...o-use-combofix


and look at Manual Install Of Recovery Console

http://www.bleepingcomputer.com/comb...anual_recovery

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
3. Please do this:
   
   Go to Microsoft's website => http://support.microsoft.com/kb/310994
   Select the download that's appropriate for your Operating System
   
   
   
   
   
   Download the file & save it as it's originally named, next to ComboFix.exe.
   
   
   
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   
   Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
   
   ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.
   
   Once the Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   ---------------------------------------------------------------------------------------------

[FreeFal311]

Hi Tetonbob,

First, thank you so much for responding to my post. I am at work at the moment but will begin following your instructions as soon as I get home. I'll reply again with the information requested once I'm done.

Kind Regards

[tetonbob]

Hi FreeFal311 -

Ok, will be looking for the log in next reply.

[FreeFal311]

Hi tetonbob-

Again, thank you for the help! ComboFix ran successfully, and my log is below.

ComboFix 09-05-02.4 - Matthew 05/02/2009 13:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.634 [GMT -5:00]
Running from: c:\documents and settings\Matthew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Matthew\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\msettings.ini
c:\windows\system32\drivers\ovfsthxhqntykdn.sys
c:\windows\system32\open.ico
c:\windows\system32\ovfsthxbkvubrow.dat
c:\windows\system32\ovfsthxmfkxvaao.dll
c:\windows\system32\ovfsthxnuvawfbb.dat
c:\windows\system32\ovfsthxpmybtklp.dll
c:\windows\system32\ovfsthxqorkcxer.dll
c:\windows\system32\tmp.reg
c:\windows\SYSTEM32\ybeeg.bak1

Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sfcfiles.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthxafhmoscc
-------\Legacy_SFC
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-04-29 16:29 . 2004-08-04 07:56 33280 ----a-w c:\windows\system32\dllcache\rundll32.exe
2009-04-29 16:29 . 2004-08-04 07:56 33280 ----a-w c:\windows\system32\rundll32.exe
2009-04-29 16:23 . 2001-08-18 03:36 26624 ----a-w c:\windows\system32\dllcache\umaxu22.dll
2009-04-29 16:22 . 2001-08-18 03:36 57856 ----a-w c:\windows\system32\dllcache\EXCH_scripto.dll
2009-04-29 16:21 . 2001-08-17 17:12 32840 ----a-w c:\windows\system32\dllcache\ngrpci.sys
2009-04-29 16:20 . 2001-08-17 19:55 6144 ----a-w c:\windows\system32\dllcache\kbd101b.dll
2009-04-29 16:19 . 2001-08-18 03:36 43520 ----a-w c:\windows\system32\dllcache\EXCH_fcachdll.dll
2009-04-29 16:18 . 2001-08-17 18:57 248064 ----a-w c:\windows\system32\dllcache\cl546xm.sys
2009-04-29 16:17 . 2001-08-17 19:56 268160 ----a-w c:\windows\system32\dllcache\atidvai.dll
2009-04-28 16:36 . 2004-08-04 05:59 43136 ----a-w c:\windows\system32\dllcache\sbp2port.sys
2009-04-28 16:36 . 2004-08-04 05:59 43136 ----a-w c:\windows\system32\drivers\sbp2port.sys
2009-04-28 05:21 . 2009-04-28 05:30 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-28 04:29 . 2009-04-28 04:29 -------- d-----w c:\program files\Trend Micro
2009-04-28 03:36 . 2009-04-28 03:36 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-28 03:36 . 2009-04-29 13:57 -------- d-----w C:\SUPERAntiSpyware
2009-04-28 03:36 . 2009-04-28 03:36 -------- d-----w c:\documents and settings\Matthew\Application Data\SUPERAntiSpyware.com
2009-04-28 01:27 . 2009-04-28 01:27 -------- d-----w c:\documents and settings\Matthew\Application Data\Malwarebytes
2009-04-28 01:27 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-28 01:27 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-28 01:27 . 2009-04-28 01:27 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-28 01:27 . 2009-04-28 01:27 -------- d-----w C:\Malwarebytes' Anti-Malware
2009-04-27 02:46 . 2009-04-27 18:28 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-26 23:59 . 2009-04-26 23:59 -------- d-----w c:\windows\ERUNT
2009-04-26 23:53 . 2009-04-29 03:06 -------- d-----w C:\SDFix
2009-04-18 20:16 . 2009-04-29 12:54 -------- d--h--w C:\$AVG8.VAULT$
2009-04-18 18:09 . 2009-04-18 18:09 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-18 18:09 . 2009-04-18 18:09 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-18 18:09 . 2009-04-18 18:09 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-18 18:09 . 2009-04-28 11:35 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-18 18:08 . 2009-04-28 11:35 -------- d-----w C:\AVG8
2009-04-18 18:08 . 2009-04-27 00:08 -------- d-----w c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 18:44 . 2004-01-12 21:01 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 18:43 . 2004-09-09 03:49 288 ----a-w c:\windows\system32\DVCStateBkp-{00000002-00000000-00000003-00001102-00000004-10031102}.dat
2009-05-02 18:43 . 2004-09-09 03:49 288 ----a-w c:\windows\system32\DVCState-{00000002-00000000-00000003-00001102-00000004-10031102}.dat
2009-04-28 05:30 . 2004-01-12 21:06 -------- d-----w c:\program files\Java
2009-04-23 21:15 . 2008-12-23 05:18 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-03 23:18 . 2007-07-12 02:37 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-03 23:12 . 2007-07-12 02:38 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-28 03:28 . 2007-11-19 01:24 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-06 14:44 . 2002-08-29 11:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-06-23 16:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2005-07-26 04:31 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2002-08-29 11:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2002-08-29 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2002-08-29 11:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2002-08-29 11:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:22 . 1980-01-01 06:00 2136064 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2002-08-29 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2002-08-29 11:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 1980-01-01 06:00 2015744 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2002-08-29 11:00 55808 ----a-w c:\windows\system32\secur32.dll
2007-08-18 00:20 . 2007-08-17 23:32 246 ----a-w c:\program files\Common Files\lavu
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\quicktime\qttask.exe" [2008-11-04 413696]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2003-04-08 118784]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"MaxtorOneTouch"="c:\maxtor\OneTouch\Utils\OneTouch.exe" [2003-05-21 45056]
"iTunesHelper"="c:\itunes\iTunesHelper.exe" [2008-11-20 290088]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2003-09-15 126976]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"AVG8_TRAY"="c:\avg8\avgtray.exe" [2009-04-18 1932568]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-28 148888]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-05-16 19968]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2007-10-28 28672]
"AsioReg"="CTASIO.DLL" - c:\windows\SYSTEM32\CTASIO.DLL [2003-02-20 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\superantispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\superantispyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-18 18:09 10520 ----a-w c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MCVSRte"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McShield"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\FileZilla\\filezilla.exe"=
"c:\\AIM\\aim.exe"=
"c:\\Battlefield 2\\BF2.exe"=
"c:\\Enemy Territory - QUAKE Wars Beta\\etqw.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Call of Duty\\CoDMP.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Tribes\\Tribes.exe"=
"c:\\LimeWire\\LimeWire.exe"=
"c:\\Call of Duty 4\\iw3mp.exe"=
"c:\\iTunes\\iTunes.exe"=
"c:\\AVG8\\avgemc.exe"=
"c:\\AVG8\\avgupd.exe"=
"c:\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 qkpwczbr;Logical Disk Manager Monitor;c:\windows\System32\svchost.exe [2004-08-04 14336]
R3 SASENUM;SASENUM;c:\superantispyware\SASENUM.SYS [2009-03-23 7408]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-18 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-18 108552]
S1 SASDIFSV;SASDIFSV;c:\superantispyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\superantispyware\SASKUTIL.sys [2009-03-23 72944]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\avg8\avgemc.exe [2009-04-18 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\avg8\avgwdsvc.exe [2009-04-18 298264]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qkpwczbr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52fc83e4-3411-11de-ba24-000cf1a3d844}]
\Shell\AutoRun\command - F:\InstallSeagateManager.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Matthew\Application Data\Mozilla\Firefox\Profiles\1avju18g.default\
FF - component: c:\avg8\Firefox\components\avgssff.dll
FF - component: c:\mozilla firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 13:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\superantispyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3684)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\nslsvice.exe
c:\windows\SYSTEM32\nsl.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Lotus\Notes\ntmulti.exe
c:\windows\SYSTEM32\PnkBstrA.exe
c:\windows\SYSTEM32\PnkBstrB.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\avg8\avgrsx.exe
c:\avg8\avgnsx.exe
c:\avg8\avgcsrvx.exe

[tetonbob]

Good job, FreeFal311.

It should be safe after this next fix to connect the machine to the internet again, if it's not already.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   Driver::
   qkpwczbr
   NetSvc::
   qkpwczbr
   
   
   

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   
   ---------------------------------------------------------------------------------------------

[FreeFal311]

Hi tetnonbob-

ComboFix ran successfully again with the script file you instructed me to create. Thank you again! My log is as follows:

ComboFix 09-05-02.4 - Matthew 05/02/2009 16:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.554 [GMT -5:00]
Running from: c:\documents and settings\Matthew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Matthew\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QKPWCZBR
-------\Service_qkpwczbr


((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-04-29 16:29 . 2004-08-04 07:56 33280 ----a-w c:\windows\system32\dllcache\rundll32.exe
2009-04-29 16:29 . 2004-08-04 07:56 33280 ----a-w c:\windows\system32\rundll32.exe
2009-04-29 16:23 . 2001-08-18 03:36 26624 ----a-w c:\windows\system32\dllcache\umaxu22.dll
2009-04-29 16:22 . 2001-08-18 03:36 57856 ----a-w c:\windows\system32\dllcache\EXCH_scripto.dll
2009-04-29 16:21 . 2001-08-17 17:12 32840 ----a-w c:\windows\system32\dllcache\ngrpci.sys
2009-04-29 16:20 . 2001-08-17 19:55 6144 ----a-w c:\windows\system32\dllcache\kbd101b.dll
2009-04-29 16:19 . 2001-08-18 03:36 43520 ----a-w c:\windows\system32\dllcache\EXCH_fcachdll.dll
2009-04-29 16:18 . 2001-08-17 18:57 248064 ----a-w c:\windows\system32\dllcache\cl546xm.sys
2009-04-29 16:17 . 2001-08-17 19:56 268160 ----a-w c:\windows\system32\dllcache\atidvai.dll
2009-04-28 16:36 . 2004-08-04 05:59 43136 ----a-w c:\windows\system32\dllcache\sbp2port.sys
2009-04-28 16:36 . 2004-08-04 05:59 43136 ----a-w c:\windows\system32\drivers\sbp2port.sys
2009-04-28 05:21 . 2009-04-28 05:30 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-28 04:29 . 2009-04-28 04:29 -------- d-----w c:\program files\Trend Micro
2009-04-28 03:36 . 2009-04-28 03:36 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-28 03:36 . 2009-04-29 13:57 -------- d-----w C:\SUPERAntiSpyware
2009-04-28 03:36 . 2009-04-28 03:36 -------- d-----w c:\documents and settings\Matthew\Application Data\SUPERAntiSpyware.com
2009-04-28 01:27 . 2009-04-28 01:27 -------- d-----w c:\documents and settings\Matthew\Application Data\Malwarebytes
2009-04-28 01:27 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-28 01:27 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-28 01:27 . 2009-04-28 01:27 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-28 01:27 . 2009-04-28 01:27 -------- d-----w C:\Malwarebytes' Anti-Malware
2009-04-27 02:46 . 2009-04-27 18:28 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-04-27 01:23 . 2009-04-27 01:23 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-26 23:59 . 2009-04-26 23:59 -------- d-----w c:\windows\ERUNT
2009-04-26 23:53 . 2009-04-29 03:06 -------- d-----w C:\SDFix
2009-04-18 20:16 . 2009-04-29 12:54 -------- d--h--w C:\$AVG8.VAULT$
2009-04-18 18:09 . 2009-04-18 18:09 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-18 18:09 . 2009-04-18 18:09 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-18 18:09 . 2009-04-18 18:09 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-18 18:09 . 2009-04-28 11:35 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-18 18:08 . 2009-04-28 11:35 -------- d-----w C:\AVG8
2009-04-18 18:08 . 2009-04-27 00:08 -------- d-----w c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 21:08 . 2004-01-12 21:01 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 21:07 . 2004-09-09 03:49 288 ----a-w c:\windows\system32\DVCStateBkp-{00000002-00000000-00000003-00001102-00000004-10031102}.dat
2009-05-02 21:07 . 2004-09-09 03:49 288 ----a-w c:\windows\system32\DVCState-{00000002-00000000-00000003-00001102-00000004-10031102}.dat
2009-04-28 05:30 . 2004-01-12 21:06 -------- d-----w c:\program files\Java
2009-04-23 21:15 . 2008-12-23 05:18 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-03 23:18 . 2007-07-12 02:37 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-03 23:12 . 2007-07-12 02:38 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-28 03:28 . 2007-11-19 01:24 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-06 14:44 . 2002-08-29 11:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-06-23 16:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2005-07-26 04:31 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2002-08-29 11:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2002-08-29 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2002-08-29 11:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2002-08-29 11:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:22 . 1980-01-01 06:00 2136064 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2002-08-29 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2002-08-29 11:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 1980-01-01 06:00 2015744 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2002-08-29 11:00 55808 ----a-w c:\windows\system32\secur32.dll
2007-08-18 00:20 . 2007-08-17 23:32 246 ----a-w c:\program files\Common Files\lavu
.

((((((((((((((((((((((((((((( SnapShot@2009-05-02_18.46.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-02 21:08 . 2009-05-02 21:08 16384 c:\windows\Temp\Perflib_Perfdata_74c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\quicktime\qttask.exe" [2008-11-04 413696]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2003-04-08 118784]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"MaxtorOneTouch"="c:\maxtor\OneTouch\Utils\OneTouch.exe" [2003-05-21 45056]
"iTunesHelper"="c:\itunes\iTunesHelper.exe" [2008-11-20 290088]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2003-09-15 126976]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"AVG8_TRAY"="c:\avg8\avgtray.exe" [2009-04-18 1932568]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-28 148888]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-05-16 19968]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2007-10-28 28672]
"AsioReg"="CTASIO.DLL" - c:\windows\SYSTEM32\CTASIO.DLL [2003-02-20 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\superantispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\superantispyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-18 18:09 10520 ----a-w c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MCVSRte"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McShield"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\FileZilla\\filezilla.exe"=
"c:\\AIM\\aim.exe"=
"c:\\Battlefield 2\\BF2.exe"=
"c:\\Enemy Territory - QUAKE Wars Beta\\etqw.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Call of Duty\\CoDMP.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Tribes\\Tribes.exe"=
"c:\\LimeWire\\LimeWire.exe"=
"c:\\Call of Duty 4\\iw3mp.exe"=
"c:\\iTunes\\iTunes.exe"=
"c:\\AVG8\\avgemc.exe"=
"c:\\AVG8\\avgupd.exe"=
"c:\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 SASENUM;SASENUM;c:\superantispyware\SASENUM.SYS [2009-03-23 7408]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-18 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-18 108552]
S1 SASDIFSV;SASDIFSV;c:\superantispyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\superantispyware\SASKUTIL.sys [2009-03-23 72944]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\avg8\avgemc.exe [2009-04-18 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\avg8\avgwdsvc.exe [2009-04-18 298264]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52fc83e4-3411-11de-ba24-000cf1a3d844}]
\Shell\AutoRun\command - F:\InstallSeagateManager.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Matthew\Application Data\Mozilla\Firefox\Profiles\1avju18g.default\
FF - component: c:\avg8\Firefox\components\avgssff.dll
FF - component: c:\mozilla firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 16:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\superantispyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\npnotes.dll

- - - - - - - > 'explorer.exe'(204)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\windows\system32\ctagent.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\nslsvice.exe
c:\windows\SYSTEM32\nsl.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Lotus\Notes\ntmulti.exe
c:\windows\SYSTEM32\PnkBstrA.exe
c:\windows\SYSTEM32\PnkBstrB.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\avg8\avgrsx.exe
c:\avg8\avgnsx.exe
c:\avg8\avgcsrvx.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2009-05-02 16:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-02 21:12
ComboFix2.txt 2009-05-02 18:49

Pre-Run: 35,155,288,064 bytes free
Post-Run: 35,147,431,936 bytes free

221 --- E O F --- 2009-04-18 15:46

[FreeFal311]

Also, I still have not reconnected to the internet. I'll take that queue from you.

[tetonbob]

Good job. Things are looking much better from here. Still more work to do. Yes, please do reconnect for these next steps.


As mentioned in our preposting topic:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

3. Uninstall the following via Add or Remove Programs in Control Panel:

• p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues.

P2P - I see you have P2P software ( LimeWire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

Perils of P2P File Sharing

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------

I see you have SUPERAntiSpyware already installed.

• Launch SUPERAntiSpyware
• Update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

How is the machine behaving, please?

[FreeFal311]

Hi tetonbob-

Limewire has been removed, never to return again. I actually thought I had already removed it.

I ran both SUPERAntiSpyware and Kaspersky as instructed. Those logs are attached below. I'm not too worried about any of the things the Kaspersky scan found, but of course, I consider you to be the final judge of it. I know I have pent up viruses and worms as attachments in some of my saved Outlook Express email. I no longer use Outlook Express, and I'm just waiting for some free time to weed through the old emails.

The system continues to be stable and is behaving fairly well. I have noticed behavior, however, that may warrant your scrutiny. I used FireFox to run Kaspersky, and FireFox continues to run well. I cautiously opened IE and conducted a Google search. My search results came up, but I noticed that I'm still not seeing the green check marks that AVG Free 8.0's Link Scanner typically displays. I see these check marks in FireFox. This was one of the first signs I noticed after being infected. It may be that the IE plug-in is just disabled, but I didn't click any of the search links just in case. In the past, clicking a search link led to re-infection. Let me know what you think!

Beyond that, the system seems fine. I noticed a couple times, shortly after finishing with ComboFix, that my mouse would lock up off-and-on as Windows booted, as if some higher priority thread was starving the UI. But, that seems to no longer be happening now.

-----------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/02/2009 at 05:35 PM

Application Version : 4.26.1000

Core Rules Database Version : 3875
Trace Rules Database Version: 1823

Scan type : Complete Scan
Total Scan Time : 01:00:56

Memory items scanned : 745
Memory threats detected : 0
Registry items scanned : 5874
Registry threats detected : 0
File items scanned : 103388
File threats detected : 0

-----------------------------------------------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 2, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 03, 2009 00:56:16
Records in database: 2121714
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 106666
Threat name: 11
Infected objects: 12
Suspicious objects: 8
Duration of the scan: 02:50:13


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDPF-Global.reg Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\Matthew\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR3.75197 Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\Matthew\Desktop\team4wa.com ftp\hijackthis.log Suspicious: Exploit.HTML.Mht 1
C:\Documents and Settings\Matthew\Local Settings\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\Microsoft\Outlook Express\UT Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Matthew\Local Settings\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\Microsoft\Outlook Express\UT Inbox.dbx Infected: Email-Worm.Win32.NetSky.r 2
C:\Documents and Settings\Matthew\Local Settings\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\Microsoft\Outlook Express\UT Inbox.dbx Infected: Trojan-Spy.HTML.Citifraud.g 1
C:\Documents and Settings\Matthew\Local Settings\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\Microsoft\Outlook Express\UT Inbox.dbx Infected: Trojan-Spy.HTML.Citifraud.l 2
C:\Documents and Settings\Matthew\Local Settings\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\Microsoft\Outlook Express\UT Inbox.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
C:\Documents and Settings\Matthew\Local Settings\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\Microsoft\Outlook Express\UT Inbox.dbx Infected: Trojan-Spy.HTML.UrlSpoof.p 1
C:\Documents and Settings\Matthew\Local Settings\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\Microsoft\Outlook Express\UT Inbox.dbx Infected: Trojan-Spy.HTML.Bankfraud.cr 1
C:\Documents and Settings\Matthew\My Documents\Old Documents\Mail Back-ups\Inbox.mbx Infected: Email-Worm.Win32.Magistr.b 1
C:\HijackThis\hijackthis.log Suspicious: Exploit.HTML.Mht 1
C:\HijackThis\hijackthisref.log Suspicious: Exploit.HTML.Mht 1
C:\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 1
C:\mIRC\mirc612.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 1
C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1

The selected area was scanned.

[tetonbob]

Quote:

I know I have pent up viruses and worms as attachments in some of my saved Outlook Express email. I no longer use Outlook Express, and I'm just waiting for some free time to weed through the old emails.

That's what it will take to be rid of these. Be careful not to execute anything while going through them.

A couple finds are in malwarebytes antimalware quarantine and spybot search & destroy registry backups. They can be cleared out from within the application interface.

These HijackThis logs may be flagged due to content within. If you don't need them, delete them

"C:\Documents and Settings\Matthew\Desktop\team4wa.com ftp\hijackthis.log"
"C:\HijackThis\hijackthis.log"
"C:\HijackThis\hijackthisref.log"

I'm curious about these next items, do you know how MusicMatch utilizes them? I imagine they are flagged due to potential, but RiskTool is not typically something I worry about unless you have no idea how it got on the machine, or if it's needed by the application. There's little concrete information about these files.

C:\Program Files\MUSICMATCH\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz --> RiskTool.Win32.Deleter.f 1
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\WebSys\offline.mmz --> RiskTool.Win32.Deleter.f 1


The mIRC items can be ignored.

About LinkScanner, not sure. See if the LinkScanner addon is enabled in IE.

http://www.avg.com/faq.num-1094#faq_1094

[FreeFal311]

Hi tetonbob-

Ok, I bit the bullet, conducted a Google search, and clicked on a few links. They all seem to be working ok now. I checked in IE to see if the AVG Link Scanner plug-in was enabled, and the plug-in was missing altogether. This must have been due to some of the malware that hijacked IE. I do recall detecting a Trojan or Virus called KillAV or KillAVG.

Anyway, I reinstalled AVG 8.5 Free, the plug-in reinstalled, and now it is working again.

Regarding MusicMatch, I'm not sure how MusicMatch utilizes those items. MusicMatch came pre-installed on this Dell, along with a lot of other junk, and I never use it. I may just uninstall MusicMatch altogether.

I have another quick question: I conducted a HJT system scan, and I have a few R1/R0 entries for go.microsoft.com. Is this normal? If I post my HJT log, would you mind giving it a once over to make sure it looks ok to you as well?

[tetonbob]

They look like this?

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

Those are default settings, and from my machine. They don't show in the other logs because they are expected.

Sure, you can post a HijackThis log, though we rarely use it any longer.

[FreeFal311]

Hi tetonbob,
Sorry for the delayed response. I went ahead and posted my HJT log below. I appreciate you giving it a once over, even though it sounds like HJT is being obsoleted. If everything looks good to you, we can consider my issue resolved. My system seems to be behaving normally.

Do you have any more information about what I was infected with? Any thoughts on how I may have picked it up? Can web browsing alone cause it, or would something have had to been executed on my system? What did ComboFix actually do to remove it? I'm curious about these things, but if you're busy, don't feel obligated to go into any great detail.

Finally, I'd like to PayPal you a donation. Can you point me in the right direction for that?

[FreeFal311]

Ooops, forgot the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:30 AM, on 5/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\AVG8\avgrsx.exe
C:\AVG8\avgemc.exe
C:\AVG8\avgnsx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\MXOALDR.EXE
C:\Maxtor\OneTouch\Utils\OneTouch.exe
C:\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\AVG8\avgcsrvx.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MUSICM~1\Common\COMPON~1\MMCOMP~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1187475355340
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187476362093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8447 bytes

[tetonbob]

Hi -

The HijackThis log looks good. Those are simply default settings in the R entries you asked about.

You had among other things a variant of the TDSS rootkit in your logs, as well as a malware-patched core Windows file. TDSS and it's variants are usually found on less than savory sites, or surreptiously installed as part of some "codec".

As far as what ComboFix did to remove it, I can't go into detail. I'm sure you'll understand.

I hope that answers your questions.



Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.
  
• McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[tetonbob]

Since this issue appears to be resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help