Computer is Infected but MalwareBytes does not see it

[Kberg81]

I have been struggling to identify a problem on my son's computer. The first symptom was the inability of any program to download any file or update. This problem included ITunes, AVG antivirus update, MalwareBytes update or installs for the online games my son likes to play (which probably lead to this problem in the first place - I know, don't remind me). The downloads would truncate after 16 to 24 megs even if the file size were larger. I disabled AVG and MalwareBytes and ran ComboFix.exe. Once that was done, I was able to get AVG to update and scan - but it did not detect anything.

The strange thing is that I cannot access any download page from my son's computer - for instance - I go to the MalwareBytes home page, click on the download link and the browser gives me a page not found message. Same thing happens if I go to another anti-spyware download page, such as Lavasoft's Adaware.

I used my computer to download a new malwarebytes install, removed the old one from my son's computer because it gave me the message that the setup files were corrupt when I tried to perform an update - I was able to install the latest version and run an update - but as with AVG - Malwarebytes detected nothing after a full scan.

I installed HiJackThis.exe and ran a diagnostic - and have appended the log file content to this post - I do not see anything that jumps out at me but perhaps someone else can help.

I am scratching my head at this point and hope I can get some assistance here because otherwise I have to do a clean wipe and OS re-install as a last resort.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 04:08:58 PM, on 8/9/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe

C:\WINNT\Explorer.EXE

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Creative\ShareDLL\CtNotify.exe

C:\PROGRA~1\AVG\AVG8\avgfws8.exe

E:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe

C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\Creative\ShareDLL\MediaDet.Exe

C:\WINNT\System32\nvsvc32.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Okidata\OKI C3400n Status Monitor\OPSTM030.exe

C:\Documents and Settings\Andy.KEVIN.000\Desktop\AnalyseThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162756947328

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe

O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe

O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

[SpySentinel]

Hi Kberg81, Welcome to Malwarebytes

1. Download RootRepeal from the following location and save it to your desktop.
   
   • Zip Mirrors (Recommended)
     
     • Secondary Mirror
       
     • Secondary Mirror
       

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

• Primary Mirror
• Secondary Mirror
  
• Secondary Mirror
  

[*]Extract RootRepeal.exe from the archive.

[*]Open on your desktop.

[*]Click the tab.

[*]Click the button.

[*]Check all seven boxes:

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

[1972vet]

Re-opened at user's request.

[Kberg81]

Here is the rootrepeal log per your request:

ROOTREPEAL

[SpySentinel]

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
     
   • Set to "Always ask me where to Save the files".
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[Kberg81]

Per your request, I executed the tasks as specified. Here is the log file content:

ComboFix 09-08-10.06 - Andy 08/17/2009 21:26.2.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.173 [GMT -4:00]

Running from: c:\documents and settings\Andy.KEVIN.000\Desktop\Combo-Fix.exe

AV: AVG Internet Security *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

.

((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))

.

2009-08-17 01:08 . 2009-08-17 01:08 -------- d-----w- c:\winnt\Sun

2009-08-17 01:06 . 2009-08-17 01:06 411368 ----a-w- c:\winnt\system32\deploytk.dll

2009-08-17 01:06 . 2009-07-29 22:38 1471768 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll

2009-08-17 01:06 . 2009-07-29 22:38 1126168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe

2009-08-17 01:06 . 2009-07-29 22:38 758040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll

2009-08-17 01:05 . 2009-08-17 01:05 152576 ----a-w- c:\documents and settings\Andy.KEVIN.000\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-09 14:55 . 2009-08-03 17:36 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2009-08-09 14:55 . 2009-08-03 17:36 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys

2009-08-09 02:28 . 2009-08-09 02:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVGTOOLBAR

2009-08-09 02:27 . 2009-08-09 02:27 -------- d-----w- C:\CrashReport

2009-08-07 02:51 . 2009-08-07 02:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple

2009-08-05 13:14 . 2009-08-05 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles

2009-08-05 12:44 . 2009-08-05 12:44 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\DNA

2009-08-05 12:44 . 2009-08-09 14:13 -------- d-----w- c:\documents and settings\Kevin\Application Data\DNA

2009-08-05 12:44 . 2009-08-05 12:44 -------- d-----w- c:\documents and settings\Kevin\Program Files

2009-08-04 21:38 . 2009-08-04 21:38 -------- d-----w- C:\.jagex_cache_32

2009-07-27 18:56 . 2009-07-27 18:56 -------- d-----w- c:\documents and settings\Andy.KEVIN.000\Local Settings\Application Data\Apple

2009-07-27 18:50 . 2009-07-27 18:50 -------- d-----w- c:\documents and settings\Andy.KEVIN.000\Application Data\Apple Computer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-29 16:12 . 2006-11-05 20:49 827392 ----a-w- c:\winnt\system32\wininet.dll

2009-06-29 16:12 . 2009-01-14 21:26 78336 ----a-w- c:\winnt\system32\ieencode.dll

2009-06-29 16:12 . 2009-01-14 21:25 17408 ----a-w- c:\winnt\system32\corpol.dll

2009-06-16 14:36 . 2009-01-14 21:25 81920 ----a-w- c:\winnt\system32\fontsub.dll

2009-06-16 14:36 . 2009-01-14 21:25 119808 ----a-w- c:\winnt\system32\t2embed.dll

2009-06-03 19:09 . 2009-01-14 21:25 1291264 ----a-w- c:\winnt\system32\quartz.dll

2009-06-01 22:08 . 2009-06-01 22:08 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2005-04-23 15:45 . 2005-04-23 15:45 21952 ---h--w- c:\program files\folder.htt

.

((((((((((((((((((((((((((((( SnapShot@2009-08-08_21.52.29 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-18 01:18 . 2009-08-18 01:18 16384 c:\winnt\temp\Perflib_Perfdata_1bc.dat

+ 2009-08-17 01:06 . 2009-08-17 01:06 149280 c:\winnt\system32\javaws.exe

+ 2009-08-17 01:06 . 2009-08-17 01:06 145184 c:\winnt\system32\javaw.exe

+ 2009-08-17 01:06 . 2009-08-17 01:06 145184 c:\winnt\system32\java.exe

+ 2009-08-17 01:06 . 2009-08-17 01:06 1757696 c:\winnt\Installer\30545.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [2001-12-31 3756032]

"NvMediaCenter"="c:\winnt\System32\NvMcTray.dll" [2001-12-31 46080]

"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 189952]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-16 153136]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]

"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-08-08 520024]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-10 1932568]

"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]

"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2009-08-17 149280]

"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2008-04-14 143360]

"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2001-12-31 831488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-14 214528]

"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2004-4-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-05-10 20:19 10520 ----a-w- c:\winnt\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\Kevin\\Application Data\\Google\\Google Earth\\googleearth.exe"=

"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=

"e:\\Program Files\\Electronic Arts\\SPORE\\Sporebin\\SporeApp.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"e:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AVGIDSErHr;AVGIDSErHr;c:\winnt\system32\drivers\AVGIDSErHr.sys [2/26/2009 12:46 PM 25608]

R0 AvgRkx86;avgrkx86.sys;c:\winnt\system32\drivers\avgrkx86.sys [5/10/2009 04:19 PM 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [5/10/2009 04:19 PM 325640]

R1 AvgTdiX;AVG8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [5/10/2009 04:19 PM 107912]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/10/2009 04:18 PM 298264]

R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [5/10/2009 04:18 PM 1362784]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2/26/2009 12:46 PM 5576712]

R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2/26/2009 12:46 PM 563720]

R3 Avgfwdx;Avgfwdx;c:\winnt\system32\drivers\avgfwdx.sys [5/4/2009 11:46 AM 29208]

R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2/26/2009 12:46 PM 121352]

R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2/26/2009 12:46 PM 30216]

R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2/26/2009 12:46 PM 27232]

R3 ev19x8mp;Creative SB AudioPCI Audio Driver (WDM);c:\winnt\system32\drivers\ev19x8mp.sys [11/7/2006 06:54 PM 522268]

R3 MBAMProtector;MBAMProtector;c:\winnt\system32\drivers\mbam.sys [8/9/2009 10:55 AM 19096]

S2 MBAMService;MBAMService;"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe" --> c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [?]

S3 Avgfwfd;AVG network filter service;c:\winnt\system32\drivers\avgfwdx.sys [5/4/2009 11:46 AM 29208]

.

Contents of the 'Scheduled Tasks' folder

2009-08-08 c:\winnt\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 22:07]

2009-08-07 c:\winnt\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes' Anti-Malware - c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

LSP: c:\winnt\system32\lspcs.dll

DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-17 21:32

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A???????B???@?$?@?? C?????U?@?????????@?B???A???????A?@ ????B???@?????P???$?@?????????~?B~??????????@???????????????????B?????L ????????????????????????????B

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(660)

c:\winnt\system32\lspcs.dll

- - - - - - - > 'explorer.exe'(424)

c:\winnt\system32\WININET.dll

c:\winnt\system32\ieframe.dll

.

Completion time: 2009-08-18 21:36

ComboFix-quarantined-files.txt 2009-08-18 01:35

ComboFix2.txt 2009-08-08 21:54

Pre-Run: 2,895,826,944 bytes free

Post-Run: 2,948,177,920 bytes free

158 --- E O F --- 2009-07-30 02:07

[SpySentinel]

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish, so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[Kberg81]

Thank you for your quick response - I will give it a shot this evening.

I am hoping that combofix will have addressed the problem sufficiently so that I can actually get malwarebytes to update after an install. The problem has been that the infection prevents downloads of any file greater than about 700K in size so most updates fail - including malwarebytes and AVG antivirus. It even prevents me from going to any web pages where I can download malwarebytes.

Did any of the information I sent to you indicate where the problem lies?

[SpySentinel]

Yes, this is a new infection that prevents security tools from running.

[Kberg81]

OK - I was able to re-install Malwarebytes and perform and update with no issues. I ran a full scan and it indicated no infection. Log file is below. I also was able to update AVG antivirus and run a full scan on all drives with no detection of infection.

I still cannot use a browser (IE 8) to navigate to the MBAM download page on this computer. I get a page not found message. I have checked the local hosts file and found nothing in it but the loop back address. Is there some place else on the computer where filter file my reside that was related to the infection?

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.40

Database version: 2651

Windows 5.1.2600 Service Pack 3

8/18/2009 10:26:49 PM

mbam-log-2009-08-18 (22-26-49).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 166916

Time elapsed: 19 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I also ran another program called RootKitReveal after I ran MalwareBytes and here is the log from that scan:

HKU\S-1-5-21-1123561945-507921405-839522115-1008\Console 8/17/2009 09:36 PM 0 bytes Security mismatch.

HKLM\SECURITY\Policy\Secrets\SAC* 4/23/2005 12:01 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 4/23/2005 12:01 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 8/18/2009 10:28 PM 80 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\swearware\backup\winsock2 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 8/8/2009 05:37 PM 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017 8/8/2009 05:37 PM 0 bytes Security mismatch.

C:\WINNT\temp\029008a8-5d70-4538-88a1-ed30a09cf475.tmp 8/18/2009 10:28 PM 0 bytes Visible in Windows API, MFT, but not in directory index.

C:\WINNT\temp\3847171e-57b0-4c74-b99f-7a36cca08fee.tmp 8/18/2009 10:28 PM 0 bytes Visible in Windows API, MFT, but not in directory index.

C:\WINNT\temp\6565c9e2-7cf0-40f8-84b5-95d03d8a158d.tmp 8/18/2009 10:31 PM 0 bytes Visible in directory index, but not Windows API or MFT.

C:\WINNT\temp\730afc31-e778-47f0-b430-d54549f4c020.tmp 8/18/2009 10:29 PM 0 bytes Visible in Windows API, MFT, but not in directory index.

C:\WINNT\temp\c813b012-2d47-4c95-80fc-bd0d53109a67.tmp 8/18/2009 10:29 PM 0 bytes Visible in Windows API, MFT, but not in directory index.

[SpySentinel]

Step #1

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

@echo off

copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll

Exit

3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

4. Double click fixes.bat.

Step #2

We need to execute an Avenger2 script

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

1. Please download The Avenger2 by SwanDog46.
   
2. Unzip avenger.exe to your desktop.
   
3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
   

   Files to move:
   c:\scecli.dll | C:\WINDOWS\system32\scecli.dll

   
   

4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
   
5. Read the prompt that appears, and press OK.
   
6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
   
7. Press the "Execute" button.
   
8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
   Note: It is possible that Avenger will reboot your system TWICE.
   
9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
   

Step #3

Download the HostsXpert 4.3 - Hosts File Manager.

• Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.3 - Hosts File Manager
  
• Run HostsXpert 4.3 - Hosts File Manager from its new home
  
• Click on "File Handling".
  
• Click on "Restore MS Hosts File".
  
• Click OK on the Confirmation box.
  
• Click on "Make Read Only?"
  
• Click the X to exit the program.
  
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
  

[Kberg81]

I checked my computer after reading the log and found that there is no file in the dll cache called scecli.dll. There is one now in the system32 folder.

Note that I am still prevented from getting to any kind of download page - I go to CNET.com, click on the downloads link http:// . . / and I get a page that looks like this:

Forbidden

You don't have permission to access / on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

If I go to a site like Lavasoft and try to go to their download page for ad-aware, the link to which looks like this:

http://www.lavasoft.com/single/mirror_down...php?f=g2Obc772A

I am redirected to a page not found page with a link that looks like this:

http://avg.urlseek.vmn.net/search.php?lg=e...10045910%2Ehtml

I am assuming that AVG antivirus is generating this page, but maybe this is just a coincidence or misdirection.

Also note that I am still prevented from downloading programs like spyware doctor. I can update AVG antivirus manually but the automatic update still fails.

=================================================================

Here is the log for tha avenger program:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "c:\scecli.dll" not found!

File move operation "c:\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

[SpySentinel]

That page you get redirected to is caused by the infection.

Please download Win32kDiag.exe by AD to the desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

[Kberg81]

I figured as much but I wanted to give you the details in case I was missing something. I will run the diagnostic this evening and get back to you.

[SpySentinel]

Thank you. That link was great, it will help to add this to the MBAM database. Thanks again, and I look forward to your reply.

[screen317]

Kberg81,

SpySentinel will be away for a bit and I will be taking over for him. Please follow his most recent set of instructions and we'll continue from there.

-screen317

[Kberg81]

Win32KDiag.exe log as follows:

Searching 'C:\WINNT'...

Finished!

Whatever this is - its buried deep.

[screen317]

I still cannot use a browser (IE 8) to navigate to the MBAM download page on this computer. I get a page not found message. I have checked the local hosts file and found nothing in it but the loop back address. Is there some place else on the computer where filter file my reside that was related to the infection?

Does this only occur with Internet Explorer? Does it happen with Firefox?

Please give me a summary of the problems you are currently experiencing and I'll do my best to help.

[Kberg81]

Chris -

If you follow the thread from the beginning, you will get a good idea of the problem, but just to recap -

The problem surfaced when my son discovered that he could not download anything from iTunes and later, online game updates. No file bigger than about 500 to 700Kb could be downloaded to his computer (my best estimate). This problem also prevented updates to AVG antivirus and malwarebytes, both of which were installed on his machine (of course, a 14 year old kid does not take the time to actually use the darn tools and cancels any scheduled scan when it starts - but I digress).

I then noticed that I could not access any site that would allow me to download anti-spyware - I was automatically redirected to page not found or the browser just hung. That's when I posted to this page and if you follow the thread, you can see that SpySentinel has asked me to try a whole bunch of things. Combo-Fix loosened things up enough so that I could manually run updates on AVG and MalwareBytes, but auto updates still fail. Scans with AVG and MWB have not detected anything.

I have not tried installing another browser on my son's computer, because even iTunes does not work, so my gut feeling is that whatever this is, its bigger than just the browser. If you think its worth the trouble, I could try to install Firefox to see if that browser can get to the download pages.

I could just blow away the OS and reload everything, but my guess is, from what SpySentinel has said, that this infection is something new and it would be worthwhile to figure out what it is.

SpySentinel's most recent instructions were to run Win32KDiag.exe and it did not uncover anything.

Any thoughts?

[screen317]

Hi Kberg81,

I suspect a file infector.

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
  
• The program will then begin downloading and installing and will also update the database.
  
• Please be patient as this can take several minutes.
  
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Click View scan report at the bottom.
  
• Click the Save Report As... button.
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
  

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
  
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
  

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

-screen317

[Kberg81]

I tried running the Kaspersky online scanner earlier this week but again ran into the choke point where the program tried to download files bigger than half a meg and failed when attempting to install them because they were truncated.

I will give it another go but I am not optimistic.

[screen317]

Try this instead:

Download the latest version of Kaspersky Virus Removal Tool

• Close all other applications and double-click and run the installer.
  
• If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  
• After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  
• In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  
• If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  
• In the Scan window click the Reports button and select Save to file.
  
• Name the report AVPT.txt, and save it to the Desktop.
  
• Close AVPTool.
  
• You will be prompted if you want to uninstall the program; click Yes.
  
• You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  
• Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.
  

-screen317

[Kberg81]

No luck with the link (from my computer, not the infected computer):

The webpage at ftp://downloads2.kaspersky-labs.com/devbu...Tool/index.html might be temporarily down or it may have moved permanently to a new web address.

[screen317]

Get it from here:

http://www.kaspersky.com/support/viruses/utility

Scroll down to "Kaspersky Virus Removal Tool"