remnants of antivirus soft rouge a/v

[valveman]

Hi, Myself or my girlfriends daughter has managed to pick up a nasty virus on my pc and Im hoping you can help.

I had my suspicions that it didnt seem to be running as smooth as usual a few week back, so i performed full scans with AVG and SuperAnti Spyware, but they found nothing.

Then the other day I turned on the pc, went on facebook just to look at friends status - and all of a sudden - a little windows warning window popped up saying my computer was at risk from viruses, and yes or no options to scan now.

I closed the little window, tried to open AVG but another window popped open telling me that AVG has failed to load.

I then tried to open SuperAnti Spyware, and the same little window opened up, so I closed that, but this time I noticed a warning icon on the right of my taskbar. It looked like the windows firewall warning, so I clicked it and the firewall window opened telling me my antivirus was switched off.

As soon as i managed to read it, a rogue anti virus window opened (im sure it was called antivirus soft, and neither of us have installed it) which looked like it was scanning and finding like 90 viruses a second. Before I had a chance to do anything, my pc crashed to the blue screen of death for a second or so, then restarted.

As soon as I realised it was restarting I repeatedly hit F8, booted in safemode, and performed scans with AVG and SAS, which both found nothing, then advanced system care, which seemed to find just the usual crap.

So then i used the start up manager in ASC, and noticed 2 new entrys, with random names - Asam.exe,clsigpitssd.exe and tlgidlktssd.exe, disabled them, restarted in normal mode and when i logged into my settings, AVG started up and found about 10 different threats (backdoors,trojans, malware etc.) so i did a new full scan, and deleted them.

Then I tried to open Internet explorer, but it wouldnt connect. After about 30 mins i found the option to reset IE, so I did, and it then worked, so I d/loaded MBAM, and after struggling to get it to work and a bit of time searching on the internet for a solution, fixed it, did a full scan and I cant be sure but I think it found 1 threat.

Since then the pc has been virtually bug free, except sometimes application windows like IE or folders take ages to close after clicking the close tab, virtually evertime i click a link, it gets redirected to some random site, (a lot of the time to ask jeeves) and the occasional random pop-up.

If youve read this far and ive not bored you to death, could you please help me, as im unsure if there is anything nasty lying dormant just ready to cripple my pc.

I have done the mbam scan, defogger,dds and Gmer as requsted in the 'What to do' section, but had to do Gmer in safe mode(which took all day) as it crashes my pc everytime in normal mode.

Many thanks in advance

DDS (Ver_10-03-17.01) - NTFSx86

Run by mark at 22:46:35.59 on Mon 05/17/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1449 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Taskbar Activate\TaskbarActivate.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\mark\Desktop\mbam fix\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [iM Sniffer]

StartupFolder: c:\docume~1\mark\startm~1\programs\startup\taskba~1.lnk - c:\program files\taskbar activate\TaskbarActivate.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mark\applic~1\mozilla\firefox\profiles\dsb6fgz0.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 5555

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-11 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-11 29512]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-11 242896]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-10-12 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 61440]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-5-11 308064]

R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-5-11 430152]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 12872]

S3 SNCT511;PC Camera (6005 CIF);c:\windows\system32\drivers\snct511.sys [2010-4-27 229376]

=============== Created Last 30 ================

2010-05-17 21:37:40 0 d-----w- c:\program files\IMBoss

2010-05-17 21:04:59 0 d-----w- c:\program files\IM Sniffer

2010-05-11 18:58:35 0 d--h--w- C:\$AVG

2010-05-11 18:54:52 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-05-10 12:09:25 20 ----a-w- c:\documents and settings\mark\defogger_reenable

2010-05-08 20:16:33 0 d-----w- c:\docume~1\mark\applic~1\TS3Client

2010-05-06 15:10:34 0 d-----w- c:\program files\Taskbar Activate

2010-05-05 22:47:05 54156 ---ha-w- c:\windows\QTFont.qfn

2010-05-05 22:47:05 1409 ----a-w- c:\windows\QTFont.for

2010-05-04 08:08:59 0 d-----w- c:\docume~1\mark\applic~1\Malwarebytes

2010-05-04 08:08:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-04 08:08:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-04 08:08:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-04 08:08:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-03 19:01:44 0 d-----w- c:\docume~1\mark\applic~1\Uniblue

2010-05-02 17:32:02 880 ----a-w- c:\documents and settings\mark\.recently-used.xbel

2010-04-27 11:51:25 0 d-----w- c:\program files\Windows Media Components

2010-04-27 11:51:25 0 d-----w- c:\program files\Mingjong

2010-04-27 11:49:48 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys

2010-04-27 11:49:45 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys

2010-04-27 11:49:42 16384 ----a-w- c:\windows\system32\ipsink.ax

2010-04-27 11:49:42 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys

2010-04-27 11:49:39 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys

2010-04-27 11:49:36 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS

2010-04-27 11:49:32 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys

2010-04-27 11:49:28 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys

2010-04-27 11:49:21 91136 ----a-w- c:\windows\system32\kswdmcap.ax

2010-04-27 11:49:21 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2010-04-27 11:49:21 43008 ----a-w- c:\windows\system32\ksxbar.ax

2010-04-27 11:49:20 61952 ----a-w- c:\windows\system32\kstvtune.ax

2010-04-27 11:48:50 53248 ----a-w- c:\windows\amcap.exe

2010-04-27 11:48:50 307200 ----a-w- c:\windows\vidcap32.exe

2010-04-27 11:48:44 61440 ----a-w- c:\windows\system32\dsnct511.dll

2010-04-27 11:48:44 49152 ----a-w- c:\windows\system32\vsnct511.dll

2010-04-27 11:48:44 28672 ----a-w- c:\windows\vsnct511.exe

2010-04-27 11:48:44 28672 ----a-w- c:\windows\system32\dsnct511.ax

2010-04-27 11:48:44 229376 ----a-w- c:\windows\system32\drivers\snct511.sys

2010-04-27 11:48:44 20480 ----a-w- c:\windows\dsnct511.exe

2010-04-27 11:48:44 15493 ----a-w- c:\windows\snct511.ini

2010-04-27 11:48:44 12827 ----a-w- c:\windows\snct511.src

2010-04-27 11:48:44 120874 ----a-w- c:\windows\usnct511.exe

2010-04-27 11:48:44 0 d-----w- c:\program files\common files\snct511

2010-04-22 19:46:11 0 dc-h--w- c:\windows\ie8

==================== Find3M ====================

2010-05-11 18:57:36 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-05-11 18:57:34 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-05-11 18:57:32 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-05-03 20:21:48 1636 ----a-w- c:\windows\system32\tmp.reg

2010-04-29 21:10:29 138592 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2010-04-29 21:10:15 219128 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

2009-04-17 19:30:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040620090413\index.dat

2009-04-17 19:30:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009041720090418\index.dat

============= FINISH: 22:48:41.53 ===============

Attach.zip

ark.zip

[Maniac]

Hello valveman! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install or uninstall any software or hardware, while work on.
  

Step 1:

Please, uninstall the following applications:

1. Adobe Reader 9.1.3
   

You can read, how to this in:

• Windows XP
  
• Windows Vista
  
• Windows 7
  

Step 2:

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
  
• From the drop-down menu, choose English and click on Select.
  
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  
• A logfile will pop up. Please save it to a convenient location and post it back when you reply
  Then look for the following Java folders and if found delete them.
  C:\Program Files\Java
  C:\Program Files\Common Files\Java
  C:\Windows\Sun
  C:\Documents and Settings\All Users\Application Data\Java
  C:\Documents and Settings\All Users\Application Data\Sun\Java
  C:\Documents and Settings\username\Application Data\Java
  C:\Documents and Settings\username\Application Data\Sun\Java
  

Step 3:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Open Tools -> Options -> Main tab
     
   • Set to Always ask me where to Save the files.
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

In your next reply, please include these log(s) in this sequence:

1. JavaRa log
   
2. ComboFix log
   

[valveman]

Hello Borislav, Thank you for the quick reply.

I followed your instructions, and I know I might not have the all clear yet, but while it was doin its stuff, combofix found and deleted a rootkit.

after a very long 1st post, I'll try keep this one short heres my logs:

JavaRa 1.15 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Tue May 18 20:56:59 2010

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}------------------------------------Finished reporting.JavaRa 1.15 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Tue May 18 20:57:21 2010

------------------------------------Finished reporting.

combo_fix_log.zip

[Maniac]

I have bad news for you!

Your system seems seriously infected. Among other things, numerous and important system files are modified. ComboFix log shows that no clean copies to be replaced. In this case, we recommend to our users to re-install their operating systems.

Sorry!

[valveman]

Oh well, thanks for your time anyway Borislav......

ps, nice sig

[Maniac]

Thank you!

Sorry again!

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.