Jump to content

Recommended Posts

Hey there,

I've been trying to fix my Mother-In-Law's laptop for the better part of the day now, and I think I need a little more help.

The computer had the following problems/programs when I saw it this morning:

*Registry Helper (Since Removed)

*PC Optimizer Pro (Since Removed)

*NetAssistant (Since Removed)

*Numerous Website redirects, in both IE8 and Chrome browsers

*AVG 2011 Free wasn't working (Could not scan or update program)

Initial MBAM Scan showed 36 problems, fixed then rebooted.

Used Hijack this and removed some Registry Helper entries and a couple other minor ones.

Removed AVG, installed AVIRA AV, Ran quick scan, came up clean.

Still having website redirects that I can't get rid of.

Here's my DDS.txt. attach.txt and ark.txt are attached.

Any help is MOST APPRECIATED!

****

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Lynne at 18:46:17.93 on Sat 05/14/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1133 [GMT -7:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Norton Internet Worm Protection *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\program files\real\realplayer\update\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DNA\btdna.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\cidaemon.exe

svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

E:\Spyware Removal\dds.com

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.ca/

uDefault_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=2071115

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

uRun: [bitTorrent DNA] "c:\program files\dna\btdna.exe"

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%

mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196459123546

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

LSA: Authentication Packages = msv1_0 nwprovau

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]

S0 letyf;letyf;c:\windows\system32\drivers\dbdfynw.sys --> c:\windows\system32\drivers\dbdfynw.sys [?]

S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]

S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-4-23 38224]

S4 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]

S4 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]

S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664]

.

=============== Created Last 30 ================

.

2011-05-15 01:28:18 8192 ----a-w- c:\windows\system32\wshirda.dll

2011-05-15 01:28:18 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll

2011-05-15 01:28:18 28160 ----a-w- c:\windows\system32\irmon.dll

2011-05-15 01:28:18 28160 ----a-w- c:\windows\system32\dllcache\irmon.dll

2011-05-15 01:28:17 151552 ----a-w- c:\windows\system32\irftp.exe

2011-05-15 01:28:17 151552 ----a-w- c:\windows\system32\dllcache\irftp.exe

2011-05-15 01:14:49 -------- d-----w- c:\docume~1\lynne\applic~1\PriceGong

2011-05-15 00:41:14 54016 ----a-w- c:\windows\system32\drivers\vibduqo.sys

2011-05-14 20:13:55 419712 ----a-w- c:\program files\Drivers_pack_v4.55.63_fix.exe

2011-05-14 19:53:30 50305 ----a-w- c:\windows\system32\ugkcjnjiwjx.exe

2011-05-14 19:53:21 106496 --sha-r- c:\windows\system32\vbicodecf.dll

2011-05-14 19:53:09 93761 ----a-w- c:\program files\common files\microsoft shared\web components\messenger.exe

2011-05-14 16:52:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Registry Helper

2011-05-14 16:52:23 -------- d-----w- c:\program files\VideoLAN

2011-05-14 16:52:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Optimizer Pro

2011-05-14 16:51:55 -------- d-----w- c:\program files\PC Optimizer Pro

2011-05-14 16:51:44 -------- d-----w- c:\program files\Freeze.com

2011-05-14 16:51:39 -------- d-----w- c:\program files\Yahoo!

2011-05-14 16:36:52 -------- d-----w- c:\program files\common files\xing shared

2011-05-09 00:09:32 -------- d-----w- c:\program files\uTorrent

2011-05-09 00:08:58 -------- d-----w- c:\docume~1\lynne\applic~1\uTorrent

2011-05-04 15:55:04 93761 ----a-w- C:\messenger.exe

2011-05-02 19:41:20 389120 ----a-w- c:\windows\system32\RegistryHelperLM.ocx

2011-04-27 15:04:43 -------- d-----w- C:\bkup

2011-04-27 14:43:16 -------- d-----w- c:\program files\Trend Micro

2011-04-27 06:55:54 -------- d-----w- c:\windows\pss

2011-04-24 05:16:39 -------- d-----w- c:\docume~1\lynne\applic~1\Malwarebytes

2011-04-24 05:10:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-24 05:10:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-04-24 05:09:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-24 05:09:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec

2011-02-18 23:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2009-07-22 22:18:46 2983936 ----a-w- c:\program files\PD.exe

1997-08-19 18:45:00 9106432 ----a-w- c:\program files\pdintros.dll

1997-08-19 18:44:30 10752000 ----a-w- c:\program files\PD2.dll

1997-08-19 17:13:00 400384 ----a-w- c:\program files\PD1.dll

1997-08-14 22:48:56 5386 ----a-w- c:\program files\PD.REG

1997-05-29 01:32:20 87552 ----a-w- c:\program files\patterns.dll

1997-02-25 04:37:52 306688 ----a-w- c:\program files\FPXLIB.DLL

1996-10-30 16:35:08 32768 ----a-w- c:\program files\plugin.dll

1996-07-03 21:07:22 18432 ----a-w- c:\program files\psut9532.dll

1996-07-03 21:07:06 50176 ----a-w- c:\program files\csdtrn32.dll

1996-05-10 20:38:10 47104 ----a-w- c:\program files\Picn1013.dll

1996-05-10 20:36:18 59904 ----a-w- c:\program files\Picn1113.dll

1996-05-10 20:30:46 21504 ----a-w- c:\program files\Picn13.dll

1996-05-02 17:13:00 16080 ----a-w- c:\program files\pd.fon

1996-02-20 17:30:32 15872 ----a-w- c:\program files\PSUT32.DLL

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST9320421AS rev.SD13 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A748ECC]<<

_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88bb9879; SUB DWORD [EBP-0x4], 0x88bb9135; PUSH EDI; CALL 0xffffffffffffdf2c; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A73DAB8]

3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A7777B8]

[0x8A741320] -> IRP_MJ_CREATE -> 0x8A748ECC

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST9320421AS_____________________________SD13____#5&24cbc6ab&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x8A748AF1

user & kernel MBR OK

sectors 625142446 (+183): user != kernel

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 18:47:30.54 ===============

ark_attach.zip

Link to post
Share on other sites

Hi there

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

Thanks for taking the time to help.

Attached is my combofix.txt file

Is it worth mentioning that even though I deleted the AVG 2011, Combofix still identified that AVG 2011 was running in the background. Does AVG still have its hooks in the system?

Hi there

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

combofix_log.txt

Link to post
Share on other sites

Hi there

Does AVG still have its hooks in the system?

Yes it does. Lets run a tool to take them out......

Please download AVG remover from their site.

AVG - Download tools

A Direct link to the AVG Remover can be found here >> http://download.avg.com/filedir/util..._2011_1149.exe

You may also use this tool to uninstall AVG:

http://www.appremover.com/appremover/avg/AppRemover.exe

Instructions for using this tool can be found here >> Using AppRemover — OPSWAT AppRemover

-------------------------------

Combofix

Close any open browsers.

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\RegistryHelperLM.ocx
c:\windows\system32\ugkcjnjiwjx.exe
c:\windows\system32\drivers\vibduqo.sys
c:\windows\system32\drivers\dbdfynw.sys

Driver::
letyf

RegNull::
[HKEY_USERS\S-1-5-21-530212586-264376689-721655545-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*%&**]

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

-------------------------------

MalwareBytes

Please run a fresh scan with MalwareBytes

First I want you to update MBAM so we have the latest definitions onboard.....

Please open Malwarebytes Antimalware

Now click on the update tab

Next - Click on the Check for updates button

  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.

    [*]The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.

    [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

    [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

    [*]Click OK to close the message box and continue with the removal process.

    [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

    [*]Make sure that everything is checked, and click Remove Selected.

    [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

    [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

    [*]Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

-------------------------------

Please post back in your next reply with:

  • The log from Combofix
  • The log from MBAM
  • An update on how things are running now

Link to post
Share on other sites

Hey There,

Attached you will find the two logs. CFLog for ComboFix and the MBAM log.

I've also included for interest sake an Avira log showing a rootkit that it found this morning. It seems to be located in an old system restore volume; am I correct on this? Is this problematic?

Also worth noting, neither tool you gave me for removing the AVG remnants worked. The one from AVG ran a script, (which I couldn't review afterwards) and the appremover tool couldn't find any failed uninstalls. ComboFix ran again with AVG seemingly running and enabled. Again, should I be concerned?

I will try to put the computer through the paces now, and see if I can get it to replicate the problems.

Thank you so much for your help with all this...

Ken

AVSCAN-20110516-065020-1569CEAD.LOG

mbam-log-2011-05-16 (07-42-18).txt

CFLog.txt

Link to post
Share on other sites

Hi there

Great work, so far so good.

Regarding the entry that Avira found; this was detected in the system restore and would have been flushed out at the end of the fix so it would not have presented us with a problem.

Regarding AVG; the main reason I wanted to make sure it was out was so that it does not interfere with combofix. I can see AVG is listed in the WMI reference, although it is harmless we can remove it easy enough in these next steps.

---------------------------------------

Close any open browsers.

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Skipfix::
SecCenter:: AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Apart from that all appears to be ok log wise, how are things at your side?

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.