[Kemperz]

Hi there, I pulled out my old computer as my girlfriend is in need of my laptop, but my machine is seriously infected with viruses. I'm pretty sure its in scvhost as its draining my resources when I check my process's in task manager, also my firefox is constantly being redirected or takin over by adware and there is constant machine errors, suddenly my machine wont let me onto the internet, it says my firefox and IE is not a supported program and cannot open, my windows audio constantly stops and I really need some help to get rid of these viruses, I think my girlfriend got the infections from a p2p program limewire when I had a really crappy anti virus, I now use malwarebytes antimalware and AVG9, not the free version, the paid. Anyways I followed all of your first steps and here are the logs, DDS and attached, which is named ark, thank you all and anymore info you have is greatly appreciated. I am well aware of how to keep viruses and malware off my machines, as my laptop is totally free of both, but I have since only allowed my girlfriend to use my computers under the guest account with no p2p or torrent programs available to her. Also I unistalled limewire, utorrent and daemon tools as per your directions, with no plans on reinstalling limewire in the future. Here is my DDS log and the attached . DDS (Ver_11-03-05.01) - NTFSx86 Run by Owner at 17:40:33.62 on Wed 03/30/2011 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.768.239 [GMT -7:00] . . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe svchost.exe svchost.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE svchost.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\AVG\AVG9\avgfws9.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\AVG\AVG9\avgam.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\Program Files\AVG\AVG9\avgtray.exe C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Owner\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ mWinlogon: Userinit=c:\windows\system32\userinit.exe BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe mExplorerRun: [fpact] c:\windows\system32\config\system~1\locals~1\temp\zitui1.exe mPolicies-explorer: NoResolveTrack = 1 (0x1) mPolicies-system: EnableLUA = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab TCP: NameServer = 93.188.164.167,93.188.160.137 TCP: {8310C94B-7C2B-404B-A124-B9B4EEA02E07} = 93.188.164.167,93.188.160.137 Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll Notify: avgrsstarter - avgrsstx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3ovfhewz.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} . ============= SERVICES / DRIVERS =============== . R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2011-3-15 25168] R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2011-3-15 52872] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2011-3-15 216400] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2011-3-15 29584] R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2011-3-15 243024] R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2011-3-15 308136] R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2011-3-15 2331032] R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2011-3-15 30104] R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2011-3-15 122448] R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2011-3-15 30288] R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2011-3-15 26192] R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-3-22 38224] S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2011-3-15 30104] S3 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2011-3-15 5897808] S3 CanonDrv;CanonDrv;c:\windows\system32\drivers\CanonDrv.sys [2009-2-15 3328] S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2010-8-24 406016] . =============== Created Last 30 ================ . 2011-03-23 01:07:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-23 01:07:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-03-23 00:42:58 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll 2011-03-23 00:42:58 21504 ----a-w- c:\windows\system32\hidserv.dll 2011-03-23 00:42:56 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys 2011-03-23 00:42:56 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2011-03-16 17:01:57 -------- d-----w- C:\Adobe 2011-03-15 21:56:52 -------- d--h--w- C:\$AVG 2011-03-15 20:52:30 1409 ----a-w- c:\windows\QTFont.for 2011-03-15 20:21:53 -------- d-----w- c:\docume~1\owner\applic~1\AVG9 2011-03-15 19:59:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll 2011-03-15 19:57:24 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys 2011-03-15 19:57:22 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2011-03-15 19:57:11 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2011-03-15 19:56:55 -------- d-----w- c:\windows\system32\drivers\Avg 2011-03-15 19:56:35 25168 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys 2011-03-15 19:56:21 50968 ----a-w- c:\windows\system32\avgfwdx.dll 2011-03-15 19:56:21 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys 2011-03-15 19:56:16 -------- d-----w- c:\program files\AVG 2011-03-15 19:56:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\avg9 2011-03-12 19:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll 2011-03-12 19:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll . ==================== Find3M ==================== . . =================== ROOTKIT ==================== . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover Windows 5.1.2600 Disk: Maxtor_6Y080L0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3 . device: opened successfully user: MBR read successfully . Disk trace: called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82579EC5] \Device\Harddisk0\DR0[0x82F63AB8] 3 CLASSPNP[0xF756EFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000060[0x82F65F18] 5 ACPI[0xF73CD620] -> nt!IofCallDriver[0x804E37D5] -> [0x82F62D98] [0x82441A80] -> IRP_MJ_CREATE -> 0x82579EC5 kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; } detected disk devices: \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6Y080L0__________________________YAR41BW0#325959344b57454e202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found detected hooks: \Driver\atapi DriverStartIo -> 0x82579AEA user & kernel MBR OK sectors 160086526 (+201): user != kernel Warning: possible TDL3 rootkit infection ! . ============= FINISH: 17:42:15.45 =============== OK i just realised I don't know how to add an attachment, or better yet I cannot, I have no manage attachments button?!

 

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

I can't read your logs as posted. Please look at some other threads and see how the logs should look, then repost them in a readable form.

You can post the Attach.txt log instead of attaching it.

------------------------------------------------------

 

[chemist]

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------