Jump to content

Search result Hijack and redirect


Recommended Posts

Hi. I got something on my computer that is hijacking search resules from yahoo and google. It is redirected to googleadservices.com and on to some fake websites. When I uninstall and reinstall firefox, it comes back. It is affecting both Firefox and IE 8 browsers. Scanned with Live Essential, AVG, Malwarebytes and not finding anything.

I could get DDS.txt and Attach.txt but running GMER freezed my computer. I ran it again after disabling antivirus and it crashed my computer and got blue screen. I rather not run GMER again unless you guys suggest me otherwise.

DDS (Ver_10-03-17.01) - NTFSx86

Run by zaw at 14:12:27.04 on Fri 06/04/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2442 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\AVG\AVG9\avgfws9.exe

C:\Program Files\GNU\GnuPG\dirmngr.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\AVG\AVG9\avgam.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\Brownie\BrstsWnd.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Brownie\Brnipmon.exe

C:\Program Files\MMTaskbar\MultiMon.exe

C:\Program Files\Secunia\PSI\psi.exe

C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\zaw\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [brStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

StartupFolder: c:\docume~1\zaw\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\zaw\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1274330750734

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-5-19 25096]

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-5-19 52872]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-19 216200]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-19 29584]

R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-19 242896]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]

R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-5-19 916760]

R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-5-19 308064]

R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-1 2331544]

R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-5-19 5888008]

R2 DirMngr;DirMngr;c:\program files\gnu\gnupg\dirmngr.exe [2010-4-12 242176]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-19 304464]

R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-5-19 30104]

R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-5-19 122376]

R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-5-19 30216]

R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-5-19 26120]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-19 20952]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 14896]

S0 cerc6;cerc6; [x]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-19 136176]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-5-19 30104]

=============== Created Last 30 ================

2010-06-04 18:17:37 21 ----a-w- c:\windows\S.dirmngr

2010-06-04 18:15:45 0 ----a-w- c:\documents and settings\zaw\defogger_reenable

2010-06-04 17:35:49 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-06-04 17:33:53 0 d-----w- c:\program files\Microsoft Security Essentials

2010-06-04 03:17:03 0 d-----w- c:\docume~1\zaw\applic~1\OpenOffice.org

2010-06-04 03:15:35 0 d-----w- c:\program files\ASAP Utilities

2010-06-04 03:15:35 0 d-----w- c:\docume~1\zaw\applic~1\ASAP Utilities

2010-06-02 20:13:58 0 d-----w- c:\program files\MSECache

2010-05-31 22:06:29 0 d-----w- c:\program files\Secunia

2010-05-25 19:39:29 306688 ----a-w- c:\windows\IsUninst.exe

2010-05-25 14:50:39 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2010-05-25 03:21:08 44800 ----a-w- c:\docume~1\zaw\applic~1\GDIPFONTCACHEV1.DAT

2010-05-25 02:58:16 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-05-25 02:58:07 6756632 ----a-w- c:\windows\system32\drivers\lvuvc.sys

2010-05-25 02:58:07 539160 ----a-w- c:\windows\system32\LVUI2RC.dll

2010-05-25 02:58:07 539160 ----a-w- c:\windows\system32\LVUI2.dll

2010-05-25 02:58:07 416280 ----a-w- c:\windows\system32\lvcodec2.dll

2010-05-25 02:58:07 266828 ----a-w- c:\windows\system32\drivers\LVAFT.cfg

2010-05-25 02:57:53 82289 ----a-w- c:\windows\system32\lvcoinst.ini

2010-05-25 02:57:53 34068 ----a-w- c:\windows\system32\Repository.reg

2010-05-25 02:57:53 266008 ----a-w- c:\windows\system32\drivers\lvrs.sys

2010-05-25 02:57:53 199192 ----a-w- c:\windows\system32\lvci12101110.dll

2010-05-25 02:57:46 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-05-25 02:57:45 0 d-----w- c:\windows\system32\ReinstallBackups

2010-05-25 02:57:43 23832 ----a-w- c:\windows\system32\drivers\lvuvcflt.sys

2010-05-22 03:39:41 0 d-----w- c:\docume~1\zaw\applic~1\gnupg

2010-05-22 03:39:40 0 d-----w- c:\docume~1\alluse~1\applic~1\GNU

2010-05-22 03:39:35 0 d-----w- c:\program files\GNU

2010-05-21 21:07:05 0 d-----w- C:\ZUD4233

2010-05-21 17:21:19 454656 ----a-w- c:\program files\putty.exe

2010-05-20 19:17:57 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-05-20 19:17:57 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2010-05-20 15:59:46 77824 ------w- c:\windows\system32\brlmw03a.dll

2010-05-20 15:59:46 146 ----a-w- c:\windows\BRVIDEO.INI

2010-05-20 15:59:46 114 ------w- c:\windows\system32\brlmw03a.ini

2010-05-20 15:59:46 0 ----a-w- c:\windows\brmx2001.ini

2010-05-20 15:59:45 9868 ----a-w- c:\windows\HL-2170W.INI

2010-05-20 15:59:45 0 d-----w- c:\program files\Brownie

2010-05-20 15:59:40 410 ----a-w- c:\windows\BRWMARK.INI

2010-05-20 15:59:40 34 ----a-w- c:\windows\system32\BD2170W.DAT

2010-05-20 15:59:34 94208 ----a-w- c:\windows\system32\BRRBTOOL.EXE

2010-05-20 15:59:34 176128 ------w- c:\windows\system32\BROSNMP.DLL

2010-05-20 15:59:33 24223 ----a-w- c:\windows\system32\BRLM03A.DLL

2010-05-20 15:59:33 196608 ------w- c:\windows\system32\Pdrvinst.dll

2010-05-20 15:59:33 0 d-----w- c:\program files\Brother

2010-05-20 15:57:09 318 ----a-w- c:\windows\Brownie.ini

2010-05-20 15:51:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Brother

2010-05-20 14:16:47 0 d-----w- c:\documents and settings\zaw\Tracing

2010-05-20 14:16:19 0 d-----w- c:\program files\Microsoft

2010-05-20 14:16:06 0 d-----w- c:\program files\Windows Live SkyDrive

2010-05-20 14:14:02 0 d-----w- c:\program files\common files\Windows Live

2010-05-20 05:13:12 0 d-----w- c:\program files\MSXML 4.0

2010-05-20 05:09:42 0 d-----w- c:\docume~1\zaw\applic~1\Office Genuine Advantage

2010-05-20 05:08:57 0 d-----w- c:\program files\WinSCP

2010-05-20 05:00:14 0 d-----w- c:\program files\Seagate

2010-05-20 05:00:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Seagate

2010-05-20 04:59:39 0 d-sh--w- c:\windows\ftpcache

2010-05-20 04:51:53 0 d-----w- c:\program files\JRE

2010-05-20 04:51:51 0 d-----w- c:\program files\OpenOffice.org 3

2010-05-20 04:43:35 376 ----a-w- c:\windows\ODBC.INI

2010-05-20 04:43:14 0 d-----w- c:\program files\Microsoft ActiveSync

2010-05-20 04:42:46 0 d-----w- c:\windows\ShellNew

2010-05-20 04:22:26 0 d-----w- c:\program files\PDFTK Builder

2010-05-20 04:20:56 0 d-----w- c:\docume~1\zaw\applic~1\Softland

2010-05-20 04:20:54 7549 ----a-w- c:\windows\system32\dopdf7.ctm

2010-05-20 04:20:54 22856 ----a-w- c:\windows\system32\dopdfmn7.dll

2010-05-20 04:20:54 19784 ----a-w- c:\windows\system32\dopdfmi7.dll

2010-05-20 04:20:52 1700352 ----a-w- c:\windows\system32\GdiPlus.dll

2010-05-20 04:20:52 0 d-----w- c:\program files\Softland

2010-05-20 04:18:04 0 d-----w- c:\program files\MMTaskbar

2010-05-20 04:15:24 0 d-----w- c:\program files\Tracker Software

2010-05-20 02:42:08 0 d-----w- c:\docume~1\zaw\applic~1\Malwarebytes

2010-05-20 02:41:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-20 02:41:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-20 02:41:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-20 02:41:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-20 02:29:23 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2010-05-20 02:29:23 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys

2010-05-20 02:29:23 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-05-20 02:29:22 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-05-20 02:29:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-05-20 02:29:16 0 d-----w- c:\windows\system32\drivers\Avg

2010-05-20 02:28:12 50968 ----a-w- c:\windows\system32\avgfwdx.dll

2010-05-20 02:28:12 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys

2010-05-20 02:27:24 0 d-----w- c:\program files\AVG

2010-05-20 02:27:08 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-05-20 02:10:24 0 d-sh--w- c:\documents and settings\zaw\IECompatCache

2010-05-20 02:09:25 0 d-sh--w- c:\documents and settings\zaw\PrivacIE

2010-05-20 02:08:49 0 d-sh--w- c:\documents and settings\zaw\IETldCache

2010-05-20 01:53:58 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-05-20 01:50:54 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-05-20 01:50:54 272128 ------w- c:\windows\system32\drivers\bthport.sys

2010-05-19 23:53:07 0 d-----w- c:\program files\Analog Devices

2010-05-19 23:42:27 0 d-----w- c:\program files\Broadcom

2010-05-19 23:28:56 0 d-----w- c:\program files\Dell

2010-05-19 23:22:43 0 d-sh--w- c:\documents and settings\all users\DRM

2010-05-19 23:22:31 0 d--h--w- c:\program files\WindowsUpdate

2010-05-19 23:22:08 0 d-----w- c:\program files\common files\MSSoap

2010-05-19 23:21:22 0 d-----w- c:\program files\Online Services

2010-05-19 23:21:20 0 d-----w- c:\program files\Messenger

2010-05-19 23:21:17 0 d-----w- c:\program files\MSN Gaming Zone

2010-05-19 23:20:54 0 d-----w- c:\program files\Windows NT

2010-05-19 22:17:30 0 d-----w- c:\program files\common files\ODBC

2010-05-19 22:17:28 0 d-----w- c:\program files\common files\SpeechEngines

2010-05-19 22:17:14 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-05-28 11:04:52 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys

2010-05-19 23:21:26 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2010-04-17 03:12:18 48464 ----a-w- c:\windows\system32\sirenacm.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 14:12:54.89 ===============

Attach.txt

Link to post
Share on other sites

Hello shwekhaw! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.

Step 1

First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall one of them. Of the two, I would recommend keeping AVG , so please uninstall Microsoft Security Essentials .

Step 2

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Hi Borislav. Thank you in advance for helping out.

I installed Microsoft Live Essential only after I get this problem, hoping it would fix what AVG and Malwarebytes could not fix. Now I have uninstalled it as you suggested. I exited Malwarebyte realtime, disabled AVG Resident Shield, disable Email and link scanner. I did not disable AVG identity protection.

So as soon as Combo-Fix.exe started (when there is pop up asking if I agree the term and proceed Yes or No), AVG Identity protection warned that C:\32788R22FWJFW\IEXPLORE.EXE is found to be malware and asked me if I want to allow or Quarantine. I chose Quarantine. Then I chose No to exit Combo-Fix.

Then I disabled AVG identify protection and rerun Combo-Fix. AVG firwall pops up with message COMBOFIX-DOWNLOAD.CFXXE is trying to access internet. I chose BLOCK. During that time, I see that Secunia PSI in status bar pops up with message Tool-NirCmd software patched. Then Combo-Fix wants to download and install windows recovery console (or something like that). I pressed YES and AVG firewall popups with same message as before asking COMBOFIX-DOWNLOAD.CFXXE to access internet. I ALLOW the access. Then everything went without further warning. Following is the file you requested. Problem still exists at this moment.

ComboFix 10-06-03.01 - zaw 06/04/2010 16:23:39.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2662 [GMT -5:00]

Running from: c:\documents and settings\zaw\Desktop\Combo-Fix.exe

AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

I:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))

.

2010-06-04 17:35 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-06-04 03:17 . 2010-06-04 03:17 1 ----a-w- c:\documents and settings\zaw\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-06-04 03:17 . 2010-06-04 03:17 -------- d-----w- c:\documents and settings\zaw\Application Data\OpenOffice.org

2010-06-04 03:15 . 2010-06-04 03:15 -------- d-----w- c:\program files\ASAP Utilities

2010-06-04 03:15 . 2010-06-04 03:15 -------- d-----w- c:\documents and settings\zaw\Application Data\ASAP Utilities

2010-06-02 20:13 . 2010-06-02 20:13 -------- d-----w- c:\program files\MSECache

2010-06-01 15:19 . 2010-06-01 15:19 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-06-01 15:19 . 2010-06-01 15:19 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-05-31 22:06 . 2010-05-31 22:06 -------- d-----w- c:\program files\Secunia

2010-05-27 15:34 . 2010-05-27 15:34 26694 ----a-r- c:\documents and settings\zaw\Application Data\Microsoft\Installer\{F6249ABF-F16D-4AF3-8755-4D62F799C238}\_FCF4B120D6A8BD6C385184.exe

2010-05-27 15:34 . 2010-05-27 15:34 26694 ----a-r- c:\documents and settings\zaw\Application Data\Microsoft\Installer\{F6249ABF-F16D-4AF3-8755-4D62F799C238}\_6FEFF9B68218417F98F549.exe

2010-05-26 15:14 . 2010-05-26 15:14 501872 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb9AD.tmp.exe

2010-05-25 19:40 . 2010-05-25 19:40 -------- d-----w- c:\program files\Common Files\Adobe

2010-05-25 19:39 . 1998-10-29 21:45 306688 ----a-w- c:\windows\IsUninst.exe

2010-05-25 14:50 . 2010-05-25 14:50 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2010-05-25 14:50 . 2010-05-25 14:50 501872 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb673.tmp.exe

2010-05-25 02:58 . 2009-10-07 08:49 6756632 ----a-w- c:\windows\system32\drivers\lvuvc.sys

2010-05-25 02:58 . 2009-10-07 08:48 539160 ----a-w- c:\windows\system32\LVUI2RC.dll

2010-05-25 02:58 . 2009-10-07 08:48 539160 ----a-w- c:\windows\system32\LVUI2.dll

2010-05-25 02:58 . 2009-10-07 08:43 416280 ----a-w- c:\windows\system32\lvcodec2.dll

2010-05-25 02:57 . 2009-10-07 08:47 266008 ----a-w- c:\windows\system32\drivers\lvrs.sys

2010-05-25 02:57 . 2009-10-07 08:43 199192 ----a-w- c:\windows\system32\lvci12101110.dll

2010-05-25 02:57 . 2009-10-07 08:24 34068 ----a-w- c:\windows\system32\Repository.reg

2010-05-25 02:57 . 2009-10-07 08:49 23832 ----a-w- c:\windows\system32\drivers\lvuvcflt.sys

2010-05-25 02:57 . 2010-05-25 02:58 -------- d-----w- c:\program files\Common Files\LogiShrd

2010-05-24 14:50 . 2010-05-24 14:50 -------- d-----w- c:\program files\QuickTime

2010-05-24 14:50 . 2010-05-24 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-05-24 14:50 . 2010-05-24 14:50 -------- d-----w- c:\program files\Common Files\Apple

2010-05-24 14:50 . 2010-05-24 14:50 -------- d-----w- c:\documents and settings\zaw\Local Settings\Application Data\Apple

2010-05-24 14:50 . 2010-05-24 14:50 -------- d-----w- c:\program files\Apple Software Update

2010-05-24 14:50 . 2010-05-24 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2010-05-24 14:50 . 2010-05-24 14:50 -------- d-----w- c:\documents and settings\zaw\Local Settings\Application Data\Apple Computer

2010-05-24 02:57 . 2010-06-04 17:29 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-22 03:39 . 2010-05-28 21:25 -------- d-----w- c:\documents and settings\zaw\Application Data\gnupg

2010-05-22 03:39 . 2010-05-22 03:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\GNU

2010-05-22 03:39 . 2010-05-22 03:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\gnupg

2010-05-22 03:39 . 2010-05-22 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\GNU

2010-05-22 03:39 . 2010-05-22 03:39 -------- d-----w- c:\program files\GNU

2010-05-21 21:55 . 2010-05-21 21:55 -------- d-----w- c:\documents and settings\zaw\Local Settings\Application Data\Identities

2010-05-21 21:07 . 2010-05-21 21:07 -------- d-----w- C:\ZUD4233

2010-05-21 17:21 . 2010-05-21 17:21 454656 ----a-w- c:\program files\putty.exe

2010-05-21 07:00 . 2010-05-21 07:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Malwarebytes

2010-05-20 23:29 . 2010-05-20 23:29 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Softland

2010-05-20 19:17 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-05-20 15:59 . 2004-08-10 05:42 77824 ------w- c:\windows\system32\brlmw03a.dll

2010-05-20 15:59 . 2010-05-20 15:59 -------- d-----w- c:\program files\Brownie

2010-05-20 15:59 . 2010-05-20 15:59 34 ----a-w- c:\windows\system32\BD2170W.DAT

2010-05-20 15:59 . 2007-08-19 16:34 94208 ----a-w- c:\windows\system32\BRRBTOOL.EXE

2010-05-20 15:59 . 2006-12-21 16:23 176128 ------w- c:\windows\system32\BROSNMP.DLL

2010-05-20 15:59 . 2010-05-20 15:59 -------- d-----w- c:\program files\Brother

2010-05-20 15:59 . 2009-05-26 00:14 196608 ------w- c:\windows\system32\Pdrvinst.dll

2010-05-20 15:59 . 2004-09-23 15:00 24223 ----a-w- c:\windows\system32\BRLM03A.DLL

2010-05-20 15:51 . 2010-05-20 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother

2010-05-20 14:16 . 2010-06-04 19:03 -------- d-----w- c:\documents and settings\zaw\Tracing

2010-05-20 14:16 . 2010-05-20 14:16 -------- d-----w- c:\program files\Microsoft

2010-05-20 14:16 . 2010-05-20 14:16 -------- d-----w- c:\program files\Windows Live SkyDrive

2010-05-20 14:15 . 2010-05-20 14:16 -------- d-----w- c:\program files\Windows Live

2010-05-20 14:14 . 2010-05-20 14:14 -------- d-----w- c:\program files\Common Files\Windows Live

2010-05-20 14:13 . 2010-06-04 17:34 48688 ----a-w- c:\documents and settings\zaw\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-20 05:13 . 2010-05-20 05:13 -------- d-----w- c:\program files\MSXML 4.0

2010-05-20 05:09 . 2010-05-20 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-05-20 05:09 . 2010-05-20 05:09 -------- d-----w- c:\documents and settings\zaw\Application Data\Office Genuine Advantage

2010-05-20 05:08 . 2010-05-20 05:08 -------- d-----w- c:\program files\WinSCP

2010-05-20 05:00 . 2010-05-20 05:00 -------- d-----w- c:\program files\Seagate

2010-05-20 05:00 . 2010-05-20 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate

2010-05-20 04:59 . 2010-05-20 04:59 -------- d-----w- c:\documents and settings\zaw\Local Settings\Application Data\Downloaded Installations

2010-05-20 04:59 . 2010-05-20 04:59 -------- d-sh--w- c:\windows\ftpcache

2010-05-20 04:43 . 2010-05-20 04:43 -------- d-----w- c:\program files\Microsoft ActiveSync

2010-05-20 04:42 . 2010-05-20 04:43 -------- d-----w- c:\windows\ShellNew

2010-05-20 04:22 . 2010-05-20 04:22 -------- d-----w- c:\program files\PDFTK Builder

2010-05-20 04:20 . 2010-05-20 04:20 -------- d-----w- c:\documents and settings\zaw\Application Data\Softland

2010-05-20 04:20 . 2010-05-20 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Softland

2010-05-20 04:20 . 2010-05-12 22:02 22856 ----a-w- c:\windows\system32\dopdfmn7.dll

2010-05-20 04:20 . 2010-05-12 22:02 19784 ----a-w- c:\windows\system32\dopdfmi7.dll

2010-05-20 04:20 . 2010-05-20 04:20 -------- d-----w- c:\program files\Softland

2010-05-20 04:20 . 2010-02-05 20:00 1700352 ----a-w- c:\windows\system32\GdiPlus.dll

2010-05-20 04:18 . 2010-05-20 04:18 -------- d-----w- c:\program files\MMTaskbar

2010-05-20 04:15 . 2010-05-20 04:15 -------- d-----w- c:\program files\Tracker Software

2010-05-20 04:14 . 2010-05-20 04:14 0 ----a-w- c:\windows\nsreg.dat

2010-05-20 04:14 . 2010-05-20 04:14 -------- d-----w- c:\documents and settings\zaw\Local Settings\Application Data\Mozilla

2010-05-20 02:42 . 2010-05-20 02:42 -------- d-----w- c:\documents and settings\zaw\Application Data\Malwarebytes

2010-05-20 02:41 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-20 02:41 . 2010-05-20 02:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-20 02:41 . 2010-05-20 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-20 02:41 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-20 02:31 . 2010-05-20 02:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-05-20 02:29 . 2010-05-20 02:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-05-20 02:29 . 2010-05-20 02:29 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2010-05-20 02:29 . 2010-05-20 02:29 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys

2010-05-20 02:29 . 2010-06-01 15:19 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-05-20 02:29 . 2010-05-20 02:29 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-05-20 02:29 . 2010-06-01 15:19 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-20 02:29 . 2010-06-04 14:21 -------- d-----w- c:\windows\system32\drivers\Avg

2010-05-20 02:28 . 2010-05-20 02:28 50968 ----a-w- c:\windows\system32\avgfwdx.dll

2010-05-20 02:28 . 2010-05-20 02:28 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys

2010-05-20 02:27 . 2010-05-20 02:27 -------- d-----w- c:\program files\AVG

2010-05-20 02:27 . 2010-05-20 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-05-20 02:23 . 2010-05-20 02:23 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2010-05-20 02:22 . 2010-05-20 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-05-20 02:16 . 2010-05-20 02:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-05-20 02:11 . 2010-05-20 02:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-05-20 02:11 . 2010-05-27 15:34 -------- d-----w- c:\documents and settings\zaw\Local Settings\Application Data\Google

2010-05-20 02:11 . 2010-05-27 15:34 -------- d-----w- c:\program files\Google

2010-05-20 02:10 . 2010-05-20 02:10 -------- d-sh--w- c:\documents and settings\zaw\IECompatCache

2010-05-20 02:09 . 2010-05-20 02:09 -------- d-sh--w- c:\documents and settings\zaw\PrivacIE

2010-05-20 02:08 . 2010-05-20 02:08 -------- d-sh--w- c:\documents and settings\zaw\IETldCache

2010-05-20 02:05 . 2010-02-25 16:54 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-05-20 02:05 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-05-20 02:05 . 2010-02-25 06:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-05-20 02:05 . 2010-02-25 06:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-05-20 02:05 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-05-20 02:05 . 2010-02-25 06:24 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-05-20 02:05 . 2010-05-20 02:05 -------- d-----w- c:\windows\ie8updates

2010-05-20 02:05 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-05-20 02:05 . 2010-05-20 02:05 -------- dc-h--w- c:\windows\ie8

2010-05-20 01:53 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-05-20 01:51 . 2010-02-17 14:10 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-05-20 01:51 . 2010-02-16 14:08 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-05-20 01:51 . 2010-02-16 13:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-05-20 01:51 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2010-05-20 01:50 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-05-20 01:50 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-04 01:54 . 2010-05-25 02:58 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-06-04 01:53 . 2010-05-25 02:57 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-05-28 11:04 . 2009-06-17 12:20 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys

2010-05-20 23:29 . 2010-05-19 23:22 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-05-20 15:59 . 2010-05-19 23:52 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-20 04:51 . 2010-05-20 04:51 -------- d-----w- c:\program files\JRE

2010-05-20 04:51 . 2010-05-20 04:51 -------- d-----w- c:\program files\OpenOffice.org 3

2010-05-20 04:51 . 2010-05-20 04:51 -------- d-----w- c:\program files\Common Files\Java

2010-05-20 02:13 . 2010-05-19 23:52 -------- d-----w- c:\program files\Intel

2010-05-19 23:53 . 2010-05-19 23:53 -------- d-----w- c:\program files\Analog Devices

2010-05-19 23:53 . 2010-05-19 23:53 -------- d-----w- c:\program files\Common Files\InstallShield

2010-05-19 23:52 . 2010-05-19 23:52 -------- d-----w- c:\documents and settings\zaw\Application Data\InstallShield

2010-05-19 23:42 . 2010-05-19 23:42 -------- d-----w- c:\program files\Broadcom

2010-05-19 23:28 . 2010-05-19 23:28 45056 ----a-r- c:\documents and settings\zaw\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe

2010-05-19 23:28 . 2010-05-19 23:28 10134 ----a-r- c:\documents and settings\zaw\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\ARPPRODUCTICON.exe

2010-05-19 23:28 . 2010-05-19 23:28 -------- d-----w- c:\program files\Dell

2010-05-19 23:23 . 2010-05-19 23:23 -------- d-----w- c:\program files\microsoft frontpage

2010-05-19 23:21 . 2010-05-19 23:21 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2010-04-17 03:12 . 2010-04-17 03:12 48464 ----a-w- c:\windows\system32\sirenacm.dll

2010-03-10 06:15 . 2008-04-14 07:00 420352 ----a-w- c:\windows\system32\vbscript.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-13 13578240]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-05-01 185640]

"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-06-11 3618104]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

c:\documents and settings\zaw\Start Menu\Programs\Startup\

OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-5-28 911920]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-5-25 113664]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

MultiMon Taskbar.lnk - c:\program files\MMTaskbar\MultiMon.exe [2010-5-19 294912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-05-20 02:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [5/19/2010 9:29 PM 25096]

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [5/19/2010 9:29 PM 52872]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/19/2010 9:29 PM 216200]

R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/19/2010 9:29 PM 242896]

R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [5/19/2010 9:28 PM 916760]

R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/19/2010 9:28 PM 308064]

R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [6/1/2010 10:19 AM 2331544]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5/1/2009 2:35 PM 181544]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/19/2010 9:41 PM 304464]

R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [5/19/2010 9:28 PM 30104]

R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [5/19/2010 9:28 PM 122376]

R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [5/19/2010 9:28 PM 30216]

R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [5/19/2010 9:28 PM 26120]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/19/2010 9:41 PM 20952]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 7:20 AM 14896]

S0 cerc6;cerc6; [x]

S2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [4/12/2010 3:19 PM 242176]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/19/2010 9:11 PM 136176]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [5/19/2010 9:28 PM 30104]

S3 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [5/19/2010 9:28 PM 5888008]

.

Contents of the 'Scheduled Tasks' folder

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 02:11]

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 02:11]

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

HKLM-Run-nwiz - nwiz.exe

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

Completion time: 2010-06-04 16:26:52

ComboFix-quarantined-files.txt 2010-06-04 21:26

Pre-Run: 231,302,328,320 bytes free

Post-Run: 231,555,743,744 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3A3550B29BB7B764CF04E95305A5DC34

Hello shwekhaw! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.

Step 1

First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall one of them. Of the two, I would recommend keeping AVG , so please uninstall Microsoft Security Essentials .

Step 2

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Link to post
Share on other sites

13:18:48:593 5440 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48

13:18:48:593 5440 ================================================================================

13:18:48:593 5440 SystemInfo:

13:18:48:593 5440 OS Version: 5.1.2600 ServicePack: 3.0

13:18:48:593 5440 Product type: Workstation

13:18:48:593 5440 ComputerName: PIRATE-ZAW

13:18:48:593 5440 UserName: zaw

13:18:48:593 5440 Windows directory: C:\WINDOWS

13:18:48:593 5440 Processor architecture: Intel x86

13:18:48:593 5440 Number of processors: 2

13:18:48:593 5440 Page size: 0x1000

13:18:48:593 5440 Boot type: Normal boot

13:18:48:593 5440 ================================================================================

13:18:48:734 5440 Initialize success

13:18:48:734 5440

13:18:48:734 5440 Scanning Services ...

13:18:48:875 5440 Raw services enum returned 314 services

13:18:48:890 5440

13:18:48:890 5440 Scanning Drivers ...

13:18:49:343 5440 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

13:18:49:375 5440 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

13:18:49:406 5440 ADIHdAudAddService (0f0a69496989912351284bb1baa2ce57) C:\WINDOWS\system32\drivers\ADIHdAud.sys

13:18:49:437 5440 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

13:18:49:484 5440 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

13:18:49:562 5440 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

13:18:49:562 5440 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys

13:18:49:593 5440 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

13:18:49:625 5440 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

13:18:49:656 5440 Avgfwdx (fa6336f05695e39995884d0c959c9608) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys

13:18:49:656 5440 Avgfwfd (fa6336f05695e39995884d0c959c9608) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys

13:18:49:781 5440 AVGIDSDriverxpx (56206c641454aba963151329f9363003) C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys

13:18:49:812 5440 AVGIDSErHrxpx (5f76534d86f5d87902bd8cca3d651e8e) C:\WINDOWS\system32\Drivers\AVGIDSxx.sys

13:18:49:812 5440 AVGIDSFilterxpx (8ee3a628ea3c6d5569cc3b3a94ec86b8) C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys

13:18:49:828 5440 AVGIDSShimxpx (d5b81f9ee6361ebc8df702569da01370) C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys

13:18:49:875 5440 AvgLdx86 (9c0a7e6d3cb9a8a7ad4e4575d9a42e94) C:\WINDOWS\system32\Drivers\avgldx86.sys

13:18:49:890 5440 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys

13:18:49:906 5440 AvgRkx86 (5bbcd8646074a3af4ee9b321d12c2b64) C:\WINDOWS\system32\Drivers\avgrkx86.sys

13:18:49:921 5440 AvgTdiX (6e11bbc8dc5af836adc9c5f682fa3186) C:\WINDOWS\system32\Drivers\avgtdix.sys

13:18:49:968 5440 b57w2k (d0692f7b8217e3b82d2bfac535816117) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

13:18:50:015 5440 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

13:18:50:171 5440 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

13:18:50:187 5440 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

13:18:50:218 5440 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

13:18:50:250 5440 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

13:18:50:281 5440 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

13:18:50:312 5440 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

13:18:50:343 5440 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

13:18:50:343 5440 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

13:18:50:359 5440 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

13:18:50:390 5440 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

13:18:50:421 5440 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

13:18:50:421 5440 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

13:18:50:421 5440 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

13:18:50:453 5440 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys

13:18:50:468 5440 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

13:18:50:484 5440 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

13:18:50:531 5440 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

13:18:50:546 5440 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

13:18:50:578 5440 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

13:18:50:593 5440 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

13:18:50:625 5440 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

13:18:50:671 5440 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

13:18:50:734 5440 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

13:18:50:781 5440 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys

13:18:50:843 5440 iastor (d483687eace0c065ee772481a96e05f5) C:\WINDOWS\system32\drivers\iastor.sys

13:18:50:875 5440 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

13:18:50:937 5440 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

13:18:50:968 5440 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

13:18:50:984 5440 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

13:18:51:000 5440 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

13:18:51:015 5440 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

13:18:51:062 5440 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

13:18:51:078 5440 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

13:18:51:125 5440 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

13:18:51:125 5440 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

13:18:51:156 5440 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

13:18:51:203 5440 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys

13:18:51:265 5440 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

13:18:51:296 5440 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

13:18:51:328 5440 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\WINDOWS\system32\DRIVERS\lvrs.sys

13:18:51:453 5440 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\WINDOWS\system32\DRIVERS\lvuvc.sys

13:18:51:484 5440 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys

13:18:51:515 5440 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

13:18:51:546 5440 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

13:18:51:578 5440 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

13:18:51:609 5440 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

13:18:51:625 5440 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

13:18:51:625 5440 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

13:18:51:687 5440 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

13:18:51:687 5440 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

13:18:51:734 5440 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

13:18:51:781 5440 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

13:18:51:781 5440 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

13:18:51:828 5440 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

13:18:51:859 5440 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

13:18:51:890 5440 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

13:18:51:937 5440 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

13:18:51:937 5440 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

13:18:51:968 5440 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

13:18:51:984 5440 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

13:18:52:031 5440 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

13:18:52:031 5440 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

13:18:52:046 5440 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

13:18:52:046 5440 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

13:18:52:046 5440 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

13:18:52:062 5440 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

13:18:52:109 5440 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

13:18:52:140 5440 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

13:18:52:453 5440 nv (b7ef2303b118b0994b37b6abdefb2b99) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

13:18:52:515 5440 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

13:18:52:562 5440 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

13:18:52:593 5440 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

13:18:52:625 5440 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

13:18:52:656 5440 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

13:18:52:703 5440 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

13:18:52:718 5440 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

13:18:52:750 5440 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

13:18:52:750 5440 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

13:18:52:765 5440 PSI (14e6fb92f1788982e2bbc81d915b1f02) C:\WINDOWS\system32\DRIVERS\psi_mf.sys

13:18:52:765 5440 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

13:18:52:812 5440 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

13:18:52:828 5440 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

13:18:52:843 5440 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

13:18:52:843 5440 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

13:18:52:875 5440 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

13:18:52:875 5440 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

13:18:52:921 5440 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

13:18:52:968 5440 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

13:18:53:000 5440 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

13:18:53:031 5440 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

13:18:53:078 5440 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys

13:18:53:125 5440 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

13:18:53:125 5440 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

13:18:53:140 5440 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

13:18:53:187 5440 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

13:18:53:218 5440 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

13:18:53:265 5440 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

13:18:53:296 5440 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

13:18:53:312 5440 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

13:18:53:328 5440 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

13:18:53:343 5440 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

13:18:53:375 5440 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

13:18:53:421 5440 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

13:18:53:453 5440 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

13:18:53:468 5440 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

13:18:53:500 5440 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

13:18:53:531 5440 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

13:18:53:546 5440 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

13:18:53:578 5440 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

13:18:53:593 5440 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

13:18:53:625 5440 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

13:18:53:640 5440 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

13:18:53:640 5440 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

13:18:53:640 5440 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

13:18:53:687 5440 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

13:18:53:734 5440 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

13:18:53:781 5440 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

13:18:53:796 5440 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

13:18:53:843 5440 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

13:18:53:875 5440 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

13:18:53:875 5440

13:18:53:875 5440 Completed

13:18:53:875 5440

13:18:53:875 5440 Results:

13:18:53:875 5440 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

13:18:53:875 5440 File objects infected / cured / cured on reboot: 0 / 0 / 0

13:18:53:890 5440

13:18:53:890 5440 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

May be it does not matter but. IE is opening itself another window first time I press download TDSkiller link. Even now when I click on 'Reply' in this forum, another IE windows opens itself.

Still redirects you? How are things now?

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s) in this sequence:

  1. MalwareBytes' Anti-Malware log
  2. DDS log with Attach.txt

Link to post
Share on other sites

protection-log-2010-06-06.txt

-----------------------------------

02:00:05 zaw MESSAGE Scheduled update executed successfully

02:00:05 zaw MESSAGE IP Protection stopped

02:00:08 zaw MESSAGE Scheduled scan executed successfully

02:00:08 zaw MESSAGE Scheduled scan executed successfully

02:00:08 zaw MESSAGE Database updated successfully

02:00:09 zaw MESSAGE IP Protection started successfully

11:44:47 zaw MESSAGE Protection started successfully

11:44:51 zaw MESSAGE IP Protection started successfully

mbam-log-2010-06-06(11-49-07).txt

------------------------------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4172

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/6/2010 11:49:07 AM

mbam-log-2010-06-06 (11-49-07).txt

Scan type: Quick scan

Objects scanned: 114721

Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Do you want me run DDS again? Otherwise DDS log and attach.txt is as posted in previous reply.

Problem still persists.

Link to post
Share on other sites

Yes, because if MBAM detect and remove anything it will affect the script and I wanted to be in step with things. Don't do it, we'll try another thing:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Problem still presists.

See the following for Combo-Fix output.

ComboFix 10-06-06.01 - zaw 06/06/2010 14:33:51.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2610 [GMT -5:00]

Running from: c:\documents and settings\zaw\Desktop\Combo-Fix.exe

AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

.

((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 )))))))))))))))))))))))))))))))

.

2010-06-04 21:19 . 2010-06-04 21:26 -------- d-----w- C:\Combo-Fix

2010-06-04 17:35 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-06-04 03:17 . 2010-06-06 16:48 1 ----a-w- c:\documents and settings\zaw\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-06-04 03:17 . 2010-06-04 03:17 -------- d-----w- c:\documents and settings\zaw\Application Data\OpenOffice.org

2010-06-04 03:15 . 2010-06-04 03:15 -------- d-----w- c:\program files\ASAP Utilities

2010-06-04 03:15 . 2010-06-04 03:15 -------- d-----w- c:\documents and settings\zaw\Application Data\ASAP Utilities

2010-06-02 20:13 . 2010-06-02 20:13 -------- d-----w- c:\program files\MSECache

2010-06-01 15:19 . 2010-06-01 15:19 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-06-01 15:19 . 2010-06-01 15:19 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-05-31 22:06 . 2010-05-31 22:06 -------- d-----w- c:\program files\Secunia

2010-05-27 15:34 . 2010-05-27 15:34 26694 ----a-r- c:\documents and settings\zaw\Application Data\Microsoft\Installer\{F6249ABF-F16D-4AF3-8755-4D62F799C238}\_FCF4B120D6A8BD6C385184.exe

2010-05-27 15:34 . 2010-05-27 15:34 26694 ----a-r- c:\documents and settings\zaw\Application Data\Microsoft\Installer\{F6249ABF-F16D-4AF3-8755-4D62F799C238}\_6FEFF9B68218417F98F549.exe

2010-05-26 15:14 . 2010-05-26 15:14 501872 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb9AD.tmp.exe

2010-05-25 19:40 . 2010-05-25 19:40 -------- d-----w- c:\program files\Common Files\Adobe

2010-05-25 19:39 . 1998-10-29 21:45 306688 ----a-w- c:\windows\IsUninst.exe

2010-05-25 14:50 . 2010-05-25 14:50 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2010-05-25 14:50 . 2010-05-25 14:50 501872 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb673.tmp.exe

2010-05-25 02:58 . 2009-10-07 08:49 6756632 ----a-w- c:\windows\system32\drivers\lvuvc.sys

2010-05-25 02:58 . 2009-10-07 08:48 539160 ----a-w- c:\windows\system32\LVUI2RC.dll

2010-05-25 02:58 . 2009-10-07 08:48 539160 ----a-w- c:\windows\system32\LVUI2.dll

2010-05-25 02:58 . 2009-10-07 08:43 416280 ----a-w- c:\windows\system32\lvcodec2.dll

2010-05-25 02:57 . 2009-10-07 08:47 266008 ----a-w- c:\windows\system32\drivers\lvrs.sys

2010-05-25 02:57 . 2009-10-07 08:43 199192 ----a-w- c:\windows\system32\lvci12101110.dll

2010-05-25 02:57 . 2009-10-07 08:24 34068 ----a-w- c:\windows\system32\Repository.reg

2010-05-25 02:57 . 2009-10-07 08:49 23832 ----a-w- c:\windows\system32\drivers\lvuvcflt.sys

2010-05-25 02:57 . 2010-05-25 02:58 -------- d-----w- c:\program files\Common Files\LogiShrd

2010-05-24 14:50 . 2010-05-24 14:50 -------- d-----w- c:\program files\QuickTime

2010-05-24 14:50 . 2010-05-24 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-05-24 14:50 . 2010-05-24 14:50 -------- d-----w- c:\program files\Common Files\Apple

2010-05-24 14:50 . 2010-05-24 14:50 -------- d-----w- c:\documents and settings\zaw\Local Settings\Application Data\Apple

2010-05-24 14:50 . 2010-05-24 14:50 -------- d-----w- c:\program files\Apple Software Update

2010-05-24 14:50 . 2010-05-24 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2010-05-24 14:50 . 2010-05-24 14:50 -------- d-----w- c:\documents and settings\zaw\Local Settings\Application Data\Apple Computer

2010-05-24 02:57 . 2010-06-04 17:29 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-22 03:39 . 2010-05-28 21:25 -------- d-----w- c:\documents and settings\zaw\Application Data\gnupg

2010-05-22 03:39 . 2010-05-22 03:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\GNU

2010-05-22 03:39 . 2010-05-22 03:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\gnupg

2010-05-22 03:39 . 2010-05-22 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\GNU

2010-05-22 03:39 . 2010-05-22 03:39 -------- d-----w- c:\program files\GNU

2010-05-21 21:55 . 2010-05-21 21:55 -------- d-----w- c:\documents and settings\zaw\Local Settings\Application Data\Identities

2010-05-21 21:07 . 2010-05-21 21:07 -------- d-----w- C:\ZUD4233

2010-05-21 17:21 . 2010-05-21 17:21 454656 ----a-w- c:\program files\putty.exe

2010-05-21 07:00 . 2010-05-21 07:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Malwarebytes

2010-05-20 19:17 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll

2010-05-20 15:59 . 2004-08-10 05:42 77824 ------w- c:\windows\system32\brlmw03a.dll

2010-05-20 15:59 . 2010-05-20 15:59 -------- d-----w- c:\program files\Brownie

2010-05-20 15:59 . 2010-05-20 15:59 34 ----a-w- c:\windows\system32\BD2170W.DAT

2010-05-20 15:59 . 2007-08-19 16:34 94208 ----a-w- c:\windows\system32\BRRBTOOL.EXE

2010-05-20 15:59 . 2006-12-21 16:23 176128 ------w- c:\windows\system32\BROSNMP.DLL

2010-05-20 15:59 . 2010-05-20 15:59 -------- d-----w- c:\program files\Brother

2010-05-20 15:59 . 2009-05-26 00:14 196608 ------w- c:\windows\system32\Pdrvinst.dll

2010-05-20 15:59 . 2004-09-23 15:00 24223 ----a-w- c:\windows\system32\BRLM03A.DLL

2010-05-20 15:51 . 2010-05-20 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother

2010-05-20 14:16 . 2010-06-06 16:44 -------- d-----w- c:\documents and settings\zaw\Tracing

2010-05-20 14:16 . 2010-05-20 14:16 -------- d-----w- c:\program files\Microsoft

2010-05-20 14:16 . 2010-05-20 14:16 -------- d-----w- c:\program files\Windows Live SkyDrive

2010-05-20 14:15 . 2010-05-20 14:16 -------- d-----w- c:\program files\Windows Live

2010-05-20 14:14 . 2010-05-20 14:14 -------- d-----w- c:\program files\Common Files\Windows Live

2010-05-20 14:13 . 2010-06-04 17:34 48688 ----a-w- c:\documents and settings\zaw\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-20 05:13 . 2010-05-20 05:13 -------- d-----w- c:\program files\MSXML 4.0

2010-05-20 05:09 . 2010-05-20 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2010-05-20 05:09 . 2010-05-20 05:09 -------- d-----w- c:\documents and settings\zaw\Application Data\Office Genuine Advantage

2010-05-20 05:08 . 2010-05-20 05:08 -------- d-----w- c:\program files\WinSCP

2010-05-20 05:00 . 2010-05-20 05:00 -------- d-----w- c:\program files\Seagate

2010-05-20 05:00 . 2010-05-20 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate

2010-05-20 04:59 . 2010-05-20 04:59 -------- d-----w- c:\documents and settings\zaw\Local Settings\Application Data\Downloaded Installations

2010-05-20 04:59 . 2010-05-20 04:59 -------- d-sh--w- c:\windows\ftpcache

2010-05-20 04:43 . 2010-05-20 04:43 -------- d-----w- c:\program files\Microsoft ActiveSync

2010-05-20 04:42 . 2010-05-20 04:43 -------- d-----w- c:\windows\ShellNew

2010-05-20 04:22 . 2010-05-20 04:22 -------- d-----w- c:\program files\PDFTK Builder

2010-05-20 04:20 . 2010-05-20 04:20 -------- d-----w- c:\documents and settings\zaw\Application Data\Softland

2010-05-20 04:20 . 2010-05-20 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Softland

2010-05-20 04:20 . 2010-05-12 22:02 22856 ----a-w- c:\windows\system32\dopdfmn7.dll

2010-05-20 04:20 . 2010-05-12 22:02 19784 ----a-w- c:\windows\system32\dopdfmi7.dll

2010-05-20 04:20 . 2010-05-20 04:20 -------- d-----w- c:\program files\Softland

2010-05-20 04:20 . 2010-02-05 20:00 1700352 ----a-w- c:\windows\system32\GdiPlus.dll

2010-05-20 04:18 . 2010-05-20 04:18 -------- d-----w- c:\program files\MMTaskbar

2010-05-20 04:15 . 2010-05-20 04:15 -------- d-----w- c:\program files\Tracker Software

2010-05-20 04:14 . 2010-05-20 04:14 0 ----a-w- c:\windows\nsreg.dat

2010-05-20 04:14 . 2010-05-20 04:14 -------- d-----w- c:\documents and settings\zaw\Local Settings\Application Data\Mozilla

2010-05-20 02:42 . 2010-05-20 02:42 -------- d-----w- c:\documents and settings\zaw\Application Data\Malwarebytes

2010-05-20 02:41 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-20 02:41 . 2010-05-20 02:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-20 02:41 . 2010-05-20 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-20 02:41 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-20 02:31 . 2010-05-20 02:31 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-05-20 02:29 . 2010-05-20 02:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-05-20 02:29 . 2010-05-20 02:29 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2010-05-20 02:29 . 2010-05-20 02:29 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys

2010-05-20 02:29 . 2010-06-01 15:19 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-05-20 02:29 . 2010-05-20 02:29 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-05-20 02:29 . 2010-06-01 15:19 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-20 02:29 . 2010-06-06 11:31 -------- d-----w- c:\windows\system32\drivers\Avg

2010-05-20 02:28 . 2010-05-20 02:28 50968 ----a-w- c:\windows\system32\avgfwdx.dll

2010-05-20 02:28 . 2010-05-20 02:28 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys

2010-05-20 02:27 . 2010-05-20 02:27 -------- d-----w- c:\program files\AVG

2010-05-20 02:27 . 2010-05-20 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-05-20 02:23 . 2010-05-20 02:23 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2010-05-20 02:22 . 2010-05-20 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-05-20 02:16 . 2010-05-20 02:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-05-20 02:11 . 2010-05-20 02:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-05-20 02:11 . 2010-05-27 15:34 -------- d-----w- c:\documents and settings\zaw\Local Settings\Application Data\Google

2010-05-20 02:11 . 2010-05-27 15:34 -------- d-----w- c:\program files\Google

2010-05-20 02:10 . 2010-05-20 02:10 -------- d-sh--w- c:\documents and settings\zaw\IECompatCache

2010-05-20 02:09 . 2010-05-20 02:09 -------- d-sh--w- c:\documents and settings\zaw\PrivacIE

2010-05-20 02:08 . 2010-05-20 02:08 -------- d-sh--w- c:\documents and settings\zaw\IETldCache

2010-05-20 02:05 . 2010-02-25 16:54 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-05-20 02:05 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-05-20 02:05 . 2010-02-25 06:24 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-05-20 02:05 . 2010-02-25 06:24 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-05-20 02:05 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-05-20 02:05 . 2010-02-25 06:24 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-05-20 02:05 . 2010-05-20 02:05 -------- d-----w- c:\windows\ie8updates

2010-05-20 02:05 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-05-20 02:05 . 2010-05-20 02:05 -------- dc-h--w- c:\windows\ie8

2010-05-20 01:53 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-05-20 01:51 . 2010-02-17 14:10 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-05-20 01:51 . 2010-02-16 14:08 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-05-20 01:51 . 2010-02-16 13:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-05-20 01:51 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2010-05-20 01:50 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-05-20 01:50 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-04 01:54 . 2010-05-25 02:58 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-06-04 01:53 . 2010-05-25 02:57 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-05-28 11:04 . 2009-06-17 12:20 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys

2010-05-20 23:29 . 2010-05-19 23:22 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-05-20 15:59 . 2010-05-19 23:52 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-20 04:51 . 2010-05-20 04:51 -------- d-----w- c:\program files\JRE

2010-05-20 04:51 . 2010-05-20 04:51 -------- d-----w- c:\program files\OpenOffice.org 3

2010-05-20 04:51 . 2010-05-20 04:51 -------- d-----w- c:\program files\Common Files\Java

2010-05-20 02:13 . 2010-05-19 23:52 -------- d-----w- c:\program files\Intel

2010-05-19 23:53 . 2010-05-19 23:53 -------- d-----w- c:\program files\Analog Devices

2010-05-19 23:53 . 2010-05-19 23:53 -------- d-----w- c:\program files\Common Files\InstallShield

2010-05-19 23:52 . 2010-05-19 23:52 -------- d-----w- c:\documents and settings\zaw\Application Data\InstallShield

2010-05-19 23:42 . 2010-05-19 23:42 -------- d-----w- c:\program files\Broadcom

2010-05-19 23:28 . 2010-05-19 23:28 45056 ----a-r- c:\documents and settings\zaw\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe

2010-05-19 23:28 . 2010-05-19 23:28 10134 ----a-r- c:\documents and settings\zaw\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\ARPPRODUCTICON.exe

2010-05-19 23:28 . 2010-05-19 23:28 -------- d-----w- c:\program files\Dell

2010-05-19 23:23 . 2010-05-19 23:23 -------- d-----w- c:\program files\microsoft frontpage

2010-05-19 23:21 . 2010-05-19 23:21 21640 ----a-w- c:\windows\system32\emptyregdb.dat

2010-04-17 03:12 . 2010-04-17 03:12 48464 ----a-w- c:\windows\system32\sirenacm.dll

2010-03-10 06:15 . 2008-04-14 07:00 420352 ----a-w- c:\windows\system32\vbscript.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-13 13578240]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-05-01 185640]

"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-06-11 3618104]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

c:\documents and settings\zaw\Start Menu\Programs\Startup\

OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-5-28 911920]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-5-25 113664]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

MultiMon Taskbar.lnk - c:\program files\MMTaskbar\MultiMon.exe [2010-5-19 294912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-05-20 02:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [5/19/2010 9:29 PM 25096]

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [5/19/2010 9:29 PM 52872]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/19/2010 9:29 PM 216200]

R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/19/2010 9:29 PM 242896]

R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [5/19/2010 9:28 PM 916760]

R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/19/2010 9:28 PM 308064]

R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [6/1/2010 10:19 AM 2331544]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5/1/2009 2:35 PM 181544]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/19/2010 9:41 PM 304464]

R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [5/19/2010 9:28 PM 30104]

R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [5/19/2010 9:28 PM 122376]

R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [5/19/2010 9:28 PM 30216]

R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [5/19/2010 9:28 PM 26120]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/19/2010 9:41 PM 20952]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 7:20 AM 14896]

S0 cerc6;cerc6; [x]

S2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [4/12/2010 3:19 PM 242176]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/19/2010 9:11 PM 136176]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [5/19/2010 9:28 PM 30104]

S3 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [5/19/2010 9:28 PM 5888008]

.

Contents of the 'Scheduled Tasks' folder

2010-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 02:11]

2010-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 02:11]

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-06 14:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(728)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2010-06-06 14:37:18

ComboFix-quarantined-files.txt 2010-06-06 19:37

ComboFix2.txt 2010-06-04 21:26

Pre-Run: 231,502,307,328 bytes free

Post-Run: 231,495,192,576 bytes free

- - End Of File - - 4C6753D26073E6E691A0B4599C0EF429

Link to post
Share on other sites

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

First I just want to let you know that I have completed your request for complete scan. It found nothing. I cannot even save report. save report list under file menu is inactive. No report was generated.

Second, problem has been fixed for now. I know you guys discourage fixing it on the side. But I noticed that I was getting same problem with other computers on my network as well. So I read some threads relates to this redirect problem and found out that it is somehow changing DNS setting on the router. When I look at my DNS server entry on my router (you need access through admin login. http://192.168.1.1 on my linksys) and lookup geolocation of my DNS server IP, my DNS servers are located in RUSSIAN FEDERATION!!!!

So I hard reset my router. I am describing my solution in detail so other victims who looking for solution may try.

1. Reset Router. There is a little hole at the back of your router (or atleast on my mine Linksys). Keep it pressed for 10 seconds or so. All lights flashes. Remember to set up your wireless security again after reset if your router has wireless feature. You do not want your neighbor watch child porn through your network.

2. Flush your dns cache from your computer

Start > All Programs > Accessories > Command Prompt

Type ipconfig /flushdns and enter

I still wonder how my router got infected. There must be a virus or something on a computer in the network to access the router right?

How could someone change something on my router? I had it password protected and Remote router management disabled. I just have to keep an eye on it.

Although the problem is gone, I am not settled since we could not find virus or malware that did it. Also am I in danger of identity theft? I been logging into my bank account etc using this network.

Link to post
Share on other sites

Good work! :)

Thanks a lot for your solution! :)

I suggest you to change your passwords to prevent any theft in the future.

Last steps:

Step 1

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2

To enable CD Emulation programs using DeFogger please perform these steps:

  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Step 3

Please manually delete Defogger, TDSSKiller, DDS, GMER and Dr.Web CureIt.

Step 4

Some malware preventions:

http://miekiemoes.blogspot.com/2008/02/how...nt-malware.html

Safe surfing! :)

Link to post
Share on other sites

If computers are networked, then one of them may be infected by other, perhaps you should each be individually cleaned and eventually be re-network, because it is a big risk. Beware, where, in what sites you log what you download and run.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.