xp antivirus 2010 aftermath?

[ted.theodore.logan]

Hi,

I kept getting a pop-up rogue antivirus xp 2010. This wouldn't allow me to install malware bytes.

I ran spybot and I then downloaded and ran ATF cleaner and Combofix which produced a log (included below) and got rid of the pop-ups and the shield on the toolbar.

I then managed to install Malware bytes but when I try and run a scan, it will not progress past 1 minute and 20 seconds before it freezes.

I followed one of the threads on this website and there is no mention of TDSSserv.sys. I ran the GMer rootkit (Log below) and DDS (log below) and Malware Bytes still doesn't work.

Spybot is now reporting no problems, but I am suspicious that something is still there preventing Malware Bytes from running.

Please advise?

Thanks, Ted

ComboFix log.

ComboFix 10-02-12.01 - SCS 15/02/2010 17:06:00.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1022.516 [GMT 0:00]

Running from: c:\documents and settings\SCS\Desktop\abcd.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\SCS\Application Data\0200000078097656C.manifest

c:\documents and settings\SCS\Application Data\0200000078097656O.manifest

c:\documents and settings\SCS\Application Data\0200000078097656P.manifest

c:\documents and settings\SCS\Application Data\0200000078097656R.manifest

c:\documents and settings\SCS\Application Data\0200000078097656S.manifest

c:\documents and settings\SCS\Local Settings\Application Data\av.exe

c:\windows\system32\install.exe

c:\windows\system32\Install.txt

C:\xcrashdump.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_DUMETERSVC

-------\Service_DUMeterSvc

((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))

.

2010-02-15 16:26 . 2010-02-15 16:26 -------- d-----w- c:\documents and settings\SCS\Application Data\Malwarebytes

2010-02-15 16:25 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-15 16:25 . 2010-02-15 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-15 16:25 . 2010-02-15 16:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-15 16:25 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-22 12:41 . 2010-01-22 12:41 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-01-22 12:39 . 2010-01-25 08:38 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-01-19 15:18 . 2004-09-15 15:28 24576 ------w- c:\windows\system32\gemstrmw.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-15 09:06 . 2008-11-27 13:20 -------- d-----w- c:\program files\LogMeIn

2010-02-12 15:33 . 2007-09-28 14:04 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-02-12 15:13 . 2009-06-18 08:28 -------- d-----w- c:\documents and settings\SCS\Application Data\gtk-2.0

2010-01-22 12:43 . 2003-03-06 13:53 -------- d-----w- c:\program files\Common Files\Adobe

2010-01-19 15:20 . 2004-04-15 09:31 -------- d-----w- c:\program files\Gemplus

2010-01-19 15:17 . 2004-04-15 09:31 -------- d-----w- c:\program files\Common Files\Gemplus

2010-01-05 10:00 . 2004-12-07 16:37 832512 ----a-w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2002-08-29 05:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2002-08-29 05:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-16 18:43 . 2002-08-29 05:00 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2002-08-29 05:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:27 . 1980-01-01 00:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 1980-01-01 00:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2002-08-29 05:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:11 . 2003-05-13 09:28 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:11 . 2002-08-29 05:00 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 16:07 . 2002-08-29 05:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07 . 2002-08-29 05:00 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07 . 2002-08-29 05:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07 . 2002-08-29 05:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:07 . 2002-08-29 05:00 11264 ----a-w- c:\windows\system32\msrle32.dll

1998-03-20 00:00 . 1998-03-20 00:00 1048 --sha-w- c:\windows\SYSTEM32\flfnpy.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-12 68856]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2008-06-08 2645528]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]

"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2004-09-15 24576]

"EPSON Stylus C84 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0D2.EXE" [2003-09-12 99840]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-14 2043160]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-27 148888]

"RegTool"="c:\program files\Gemplus\GemSafe Libraries\BIN\RegTool.exe" [2005-06-08 40960]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-12 68856]

c:\documents and settings\SCS\Start Menu\Programs\Startup\

LaunchU3.exe.lnk - c:\documents and settings\SCS\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2008-11-14 1078]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE [2009-3-2 131584]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-19 08:26 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-10-02 11:06 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [17/06/2008 09:18 335240]

R2 ASFAgent;ASF Agent;c:\program files\intel\ASF Agent\ASFAgent.exe [08/05/2002 09:51 212992]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [17/06/2008 09:18 297752]

R2 GemSAFE Card Server;GemSAFE Card Server;c:\program files\Gemplus\GemSafe Libraries\BIN\GCardSrvNT.exe [20/01/2006 18:15 118784]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 18:46 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\SYSTEM32\DRIVERS\LMIRfsDriver.sys [27/11/2008 13:20 47640]

R2 NetAlrt;NetAlrt;c:\windows\SYSTEM32\DRIVERS\Netalrt.sys [07/05/2002 16:05 39680]

R2 PlatAlrt;PlatAlrt;c:\windows\SYSTEM32\DRIVERS\platalrt.sys [07/05/2002 16:06 23744]

R3 GTwinUSB;GTwinUSB;c:\windows\SYSTEM32\DRIVERS\GTwinUSB.sys [15/04/2004 09:31 61776]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [15/02/2010 16:25 38224]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

Contents of the 'Scheduled Tasks' folder

2010-02-12 c:\windows\Tasks\Norton Security Scan for SCS.job

- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-11 11:54]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\SCS\Application Data\Mozilla\Firefox\Profiles\s1w6tx00.default\

FF - plugin: c:\documents and settings\SCS\Application Data\Mozilla\Firefox\Profiles\s1w6tx00.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll

FF - plugin: c:\documents and settings\SCS\Application Data\Mozilla\Firefox\Profiles\s1w6tx00.default\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\Npcsig.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinVNC - c:\program files\TightVNC\WinVNC.exe

Notify-40bad53e382 - c:\windows\system32\__c002E410.dat

AddRemove-SpyBotSnD - c:\program files\Spybot - Search & Destroy 1.1\SpybotSD.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-15 17:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h

[ted.theodore.logan]

Pop ups have restarted and Malwarebytes has not yet managed to prgress past 1:20. this file (c:\windows\system32\ntdll.dll) is where it freezes.

Somebody please help?

[Maurice Naggar]

Hello,

Please advise if you have resolved your issues.

If not, and you'd like guided help here, please run & post a new DDS report.