Am I infected?

[kristell]

Sons laptop got infected - he turned his laptop on and it first seemed that everything had gone and when we went on to websites it was being redirected to other websites......so I ran malware bytes and it seems to clear it. When I run AVG is seems there is still something lurking. Have followed your instructions and run the programmes suggested.

I ran DDS (twice) and it did not give me an attach log - ark.txt is attached and here is DDS:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.7600.16385

Run by MEDION at 9:55:27 on 2011-09-29

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.2815.1814 [GMT 1:00]

.

AV: BullGuard Antivirus *Enabled/Outdated* {504FFF66-3028-EB7E-2E60-62B19ADD791C}

SP: BullGuard Antispyware *Enabled/Outdated* {EB2E1E82-1612-E4F0-14D0-59C3E15A33A1}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG2012\avgrsx.exe

C:\Program Files\AVG\AVG2012\avgcsrvx.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\atieclxx.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\AVG\AVG2012\avgwdsvc.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\System Control Manager\MSIService.exe

c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe

C:\Program Files\System Control Manager\MGSysCtrl.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe

C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe

C:\Program Files\AVG\AVG2012\avgtray.exe

C:\Program Files\AVG Secure Search\vprot.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe

C:\Program Files\AVG\AVG2012\avgnsx.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows Live\Toolbar\wltuser.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.facebook.com/

uDefault_Page_URL = hxxp://www.aldi.com

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mif5ba~1\office14\GROOVEEX.DLL

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.34\AVG Secure Search_toolbar.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mif5ba~1\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.34\AVG Secure Search_toolbar.dll

{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"

mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [RtHDVBg] c:\program files\realtek\audio\hda\RtHDVBg.exe /FORPCEE3

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"

mRun: [vProt] "c:\program files\avg secure search\vprot.exe"

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105

IE: {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - http://rover.ebay.com/rover/1/710-72741-17534-1/4

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: DhcpNameServer = 194.168.4.100 194.168.8.100

TCP: Interfaces\{22038B99-72CD-4E57-879F-7C86CC823AC0} : DhcpNameServer = 194.168.4.100 194.168.8.100

TCP: Interfaces\{22038B99-72CD-4E57-879F-7C86CC823AC0}\45543545027594649402B20294450247F6F6C602E4564777F627B6 : DhcpNameServer = 192.168.2.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\8.0.1\ViProtocol.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mif5ba~1\office14\GROOVEEX.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-7-11 32464]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-6-19 176128]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-1 5265248]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]

R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2010-6-24 160768]

R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\8.0.1\ToolbarUpdater.exe [2011-9-27 246600]

R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-6-19 5551104]

R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-6-19 176128]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-23 278560]

R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-6-23 996896]

R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2010-6-23 30392]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2010-6-18 136304]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-9-3 1343400]

.

=============== Created Last 30 ================

.

2011-09-27 16:33:36 -------- d-----w- c:\users\medion\appdata\local\Adobe

2011-09-27 16:27:51 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE

2011-09-27 10:19:13 -------- d--h--w- C:\$AVG

2011-09-27 10:02:13 -------- d-----w- c:\users\medion\appdata\roaming\AVG2012

2011-09-27 10:00:15 -------- d-----w- c:\program files\common files\AVG Secure Search

2011-09-27 10:00:15 -------- d-----w- c:\program files\AVG Secure Search

2011-09-27 09:59:41 -------- d-----w- c:\windows\system32\drivers\AVG

2011-09-27 09:59:41 -------- d-----w- c:\programdata\AVG2012

2011-09-27 09:58:45 -------- d-----w- c:\program files\AVG

2011-09-27 09:52:09 -------- d--h--w- c:\programdata\Common Files

2011-09-27 09:52:02 -------- d-----w- c:\programdata\MFAData

2011-09-27 09:42:15 -------- d-----w- c:\users\medion\appdata\roaming\Malwarebytes

2011-09-27 09:42:11 -------- d-----w- c:\programdata\Malwarebytes

2011-09-27 09:42:08 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-27 09:42:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-27 07:27:16 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{bf2a83f7-f19c-451f-9d94-afcd967ddace}\mpengine.dll

2011-09-26 21:06:13 -------- d--h--w- c:\users\medion\appdata\roaming\Rytae

2011-09-14 07:02:37 1074176 ----a-w- c:\windows\system32\DWrite.dll

2011-09-14 07:02:36 802304 ----a-w- c:\windows\system32\FntCache.dll

2011-09-14 07:02:36 739840 ----a-w- c:\windows\system32\d2d1.dll

2011-09-13 20:24:44 319488 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpfppw73.dll

2011-09-07 21:20:49 -------- d-sh--w- c:\users\medion\appdata\local\.#

2011-09-05 09:51:06 -------- d-----w- c:\program files\Microsoft Synchronization Services

2011-09-05 09:48:07 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2011-09-05 09:46:52 -------- d-----w- c:\program files\Microsoft Analysis Services

2011-09-05 09:46:18 -------- d--h--w- c:\users\medion\appdata\local\Microsoft Help

2011-09-03 08:34:48 -------- d-----w- c:\windows\system32\Wat

2011-09-02 21:41:53 293376 ----a-w- c:\windows\system32\browserchoice.exe

2011-09-02 21:37:32 190976 ----a-w- c:\windows\system32\drivers\ks.sys

2011-09-02 21:37:32 146304 ----a-w- c:\windows\system32\drivers\usbvideo.sys

2011-09-02 21:37:06 276992 ----a-w- c:\windows\system32\wcncsvc.dll

2011-09-02 15:35:53 4247040 ----a-w- c:\program files\windows nt\accessories\wordpad.exe

2011-09-02 15:35:53 1413632 ----a-w- c:\windows\system32\ole32.dll

2011-09-02 15:33:59 37376 ----a-w- c:\windows\system32\rtutils.dll

2011-09-02 15:33:56 541184 ----a-w- c:\windows\system32\kerberos.dll

2011-09-02 15:33:54 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-09-02 15:33:53 96256 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys

2011-09-02 15:33:53 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-09-02 15:33:49 987136 ----a-w- c:\program files\common files\system\ado\msado15.dll

2011-09-02 15:33:49 573440 ----a-w- c:\windows\system32\odbc32.dll

2011-09-02 15:33:49 372736 ----a-w- c:\program files\common files\system\ado\msadox.dll

2011-09-02 15:33:49 352256 ----a-w- c:\program files\common files\system\ado\msadomd.dll

2011-09-02 15:33:49 208896 ----a-w- c:\program files\common files\system\msadc\msadco.dll

2011-09-02 15:32:01 2048 ----a-w- c:\windows\system32\tzres.dll

2011-09-02 15:31:40 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys

2011-09-02 15:31:38 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-09-02 15:31:36 740864 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-02 15:31:35 530432 ----a-w- c:\windows\system32\comctl32.dll

2011-09-02 15:31:33 954752 ----a-w- c:\windows\system32\mfc40.dll

2011-09-02 15:31:33 954288 ----a-w- c:\windows\system32\mfc40u.dll

2011-09-02 15:29:16 2614784 ----a-w- c:\windows\explorer.exe

2011-09-02 15:28:53 2690560 ----a-w- c:\windows\system32\mstscax.dll

2011-09-02 15:28:53 1034240 ----a-w- c:\windows\system32\mstsc.exe

2011-09-02 15:28:35 2332672 ----a-w- c:\windows\system32\win32k.sys

2011-09-02 15:28:33 94208 ----a-w- c:\program files\common files\system\ole db\msdaosp.dll

2011-09-02 15:28:33 86016 ----a-w- c:\windows\system32\odbccu32.dll

2011-09-02 15:28:33 81920 ----a-w- c:\windows\system32\odbccr32.dll

2011-09-02 15:28:33 319488 ----a-w- c:\windows\system32\odbcjt32.dll

2011-09-02 15:28:33 122880 ----a-w- c:\windows\system32\odbccp32.dll

2011-09-02 15:28:32 163840 ----a-w- c:\windows\system32\odbctrac.dll

2011-09-02 15:27:36 161792 ----a-w- c:\windows\system32\d3d10_1.dll

2011-09-02 15:27:35 168448 ----a-w- c:\windows\system32\srvsvc.dll

2011-09-02 15:27:32 1289536 ----a-w- c:\windows\system32\ntdll.dll

2011-09-02 15:27:15 1170944 ----a-w- c:\windows\system32\d3d10warp.dll

2011-09-02 15:27:14 3181568 ----a-w- c:\windows\system32\mf.dll

2011-09-02 15:27:13 218624 ----a-w- c:\windows\system32\d3d10_1core.dll

2011-09-02 15:27:13 196608 ----a-w- c:\windows\system32\mfreadwrite.dll

2011-09-02 15:27:13 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL

2011-09-02 15:27:13 1495040 ----a-w- c:\windows\system32\ExplorerFrame.dll

2011-09-02 15:27:12 135168 ----a-w- c:\windows\system32\XpsRasterService.dll

2011-09-02 15:26:54 204288 ----a-w- c:\windows\system32\upnp.dll

2011-09-02 15:26:54 1389568 ----a-w- c:\windows\system32\msxml6.dll

2011-09-02 15:26:53 80384 ----a-w- c:\windows\system32\davclnt.dll

2011-09-02 15:26:53 73728 ----a-w- c:\windows\system32\wscsvc.dll

2011-09-02 15:26:53 51200 ----a-w- c:\windows\system32\wscapi.dll

2011-09-02 15:26:53 350720 ----a-w- c:\windows\system32\winhttp.dll

2011-09-02 15:26:53 204800 ----a-w- c:\windows\system32\WebClnt.dll

2011-09-02 15:26:53 14336 ----a-w- c:\windows\system32\slwga.dll

2011-09-02 15:26:53 1236992 ----a-w- c:\windows\system32\msxml3.dll

2011-09-02 15:25:52 738816 ----a-w- c:\windows\system32\wmpmde.dll

2011-09-02 15:25:49 101760 ----a-w- c:\windows\system32\consent.exe

2011-09-02 15:25:39 759296 ----a-w- c:\program files\common files\microsoft shared\vgx\VGX.dll

2011-09-02 15:25:37 1164288 ----a-w- c:\windows\system32\mfc42u.dll

2011-09-02 15:25:37 1137664 ----a-w- c:\windows\system32\mfc42.dll

2011-09-02 15:24:33 69632 ----a-w- c:\windows\system32\drivers\bowser.sys

2011-09-02 15:24:32 363520 ----a-w- c:\windows\system32\StructuredQuery.dll

2011-09-02 15:24:30 7680 ----a-w- c:\program files\internet explorer\iecompat.dll

2011-09-02 15:24:28 123904 ----a-w- c:\windows\system32\poqexec.exe

2011-09-02 15:24:27 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-09-02 15:20:54 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2011-09-02 15:20:53 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2011-09-02 15:20:53 107520 ----a-w- c:\windows\system32\cdd.dll

2011-09-02 14:58:05 -------- d--h--w- c:\users\medion\appdata\local\Diagnostics

.

==================== Find3M ====================

.

2011-07-22 04:56:17 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-16 04:37:32 169984 ----a-w- c:\windows\system32\winsrv.dll

2011-07-16 04:34:28 290816 ----a-w- c:\windows\system32\KernelBase.dll

2011-07-16 04:31:12 271360 ----a-w- c:\windows\system32\conhost.exe

2011-07-16 02:21:47 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-07-16 02:21:47 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2011-07-16 02:21:47 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2011-07-16 02:21:47 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2011-07-11 00:14:38 295248 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2011-07-11 00:14:16 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys

2011-07-11 00:14:14 24272 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys

2011-07-11 00:14:12 23120 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys

2011-07-11 00:14:12 134736 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys

2011-07-11 00:13:46 229840 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2011-07-11 00:13:42 32464 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.1.7600 Disk: SAMSUNG_ rev.2AJ1 -> Harddisk0\DR0 ->

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys amdxata.sys >>UNKNOWN [0x869524D0]<<

c:\windows\system32\drivers\amdxata.sys Advanced Micro Devices Stor Filter Driver

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x869587d0]; MOV EAX, [0x8695884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x8303F458] -> \Device\Harddisk0\DR0[0x86901030]

3 CLASSPNP[0x8AFAE59E] -> ntkrnlpa!IofCallDriver[0x8303F458] -> [0x868B4020]

5 amdxata[0x839846B3] -> ntkrnlpa!IofCallDriver[0x8303F458] -> \00000057[0x868AF030]

\Driver\amdsata[0x869028F8] -> IRP_MJ_CREATE -> 0x869524D0

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV ES, AX; MOV DS, AX; MOV SI, SP; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; JMP FAR 0x0:0x660; }

detected disk devices:

\Device\00000057 -> \??\SCSI#Disk&Ven_SAMSUNG&Prod_HM321HI#4&2ea1f1e1&0&010000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 9:55:52.53 ===============

ark.zip

mbam-log-2011-09-27 (10-46-12).txt

[kristell]

Continuing to get multiple threats all day - have attached some more logs for you

mbam-log-2011-09-27 (17-31-51).zip

[AdvancedSetup]

Please visit the following site for instructions on How to use ComboFix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

[kristell]

Thank you. I still keep getting AVG telling me I am infected... but here are the logs (and a few more) requested!

Attach (2).zip

DDS.txt

ComboFix.txt

mbam-log-2011-09-27 (17-31-51).zip

[AdvancedSetup]

Please download and run the following tdsskiller scanner from Kaspersky.

Save it to your desktop. Right click the file and select "Run as administrator" and run the scanner and have it check for any infection and follow the directions it provides.

It will leave a log file similar in name to this: C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt please upload that file on your next reply.

[kristell]

Thank you for getting back - log attached

TDSSKiller.2.6.3.0_03.10.2011_09.25.20_log.txt

[AdvancedSetup]

Great, looks like the Kasperksy tool got the main file there. Please go ahead now and run Combofix one more time and if it asks to update itself please allow it to.

Then post back the new log. Going to bed soon so I'll check back with you when I get back.

Thanks

[kristell]

ok - have a good nights sleep!!

Regards and thanks for being so quick with your responses.

[kristell]

Here you go.

[kristell]

Here you go.

oops

ComboFix.txt

[AdvancedSetup]

STEP 01

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

File::
c:\windows\system32\winsett.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AksXqsrx"=-
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update

  [*]When the update is complete, select the Scanner tab

  [*]Select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

STEP 03

Download

DDS

and save it to your desktop

http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click

dds.scr

to run the tool.

When done, the

DDS.txt

will open.

Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

1. DDS.txt
   
   
2. Attach.txt

• Save both reports to your desktop
• Please include the following logs in your next reply:
  DDS.txt
  and
  Attach.txt

STEP 04
Next, please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

STEP 05

Next, download Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Then post back the Combofix, MBAM, DDS, ESET, and CHECKUP logs.

Let me know how things are running now and what issues remain.

[kristell]

For some reason DDS won't run properly - it starts and then just keeps stopping and disappearing - I have disabled virus software..... it did work for me previously. I have tried downloading it again, but it just won't work.

[kristell]

Keep trying it and it goes for about five seconds and then gives a message which disappears so quick I can't read it - it starts The system....... but I just can't get to read what comes after that it goes off so quick!!

[kristell]

In the meantime here are the logs from the first two

ComboFix.txt

mbam-log-2011-10-04 (06-58-49).txt

[AdvancedSetup]

Please see the following link on How to start an Elevated Command Prompt in Windows 7 and Vista

Then start an elevated command prompt and type the following exactly and then reboot the computer.

netsh int ip reset c:\resetlog.txt

Or you can download a tool and have Microsoft reset it for you.

How to reset Internet Protocol (TCP/IP)

Then make sure to disable your AVG AV and run the online ESET AV scan and send back those results please.

[kristell]

phew a lot of logs - have added them all to the one folder - hope that is ok!

If I get some more threats pop up I will let you know - i have to go to a meeting now but will be back on later.

Really appreciate your time with this awful mess.

logs.zip

[AdvancedSetup]

Well that is not good.

The logs show that this system is infected by the Ramnit virus.

(please read more about it from the link above)

Many experts recommend actually rebuilding the computer by removing the partition and creating a new partition and then install windows fresh.

It's up to you but if you want to try and salvage the computer I highly recommend downloading and creating this tool from Kasperky and then boot from it on the infected system and let it update, scan, and repair the system. Kaspersky Rescue Disk 10

There is no guarantee that it can completely clean this system and you may want to go ahead and let it clean it and then backup any important data and then go ahead and fdisk, format, and re-install Windows to be safe.

You need to be very careful with this infection. Do not use USB disks between this infected computer and any other computer you have as it can infect them as well. It would be best to keep it off of the same network that others may be on as well.

Please make sure all other systems have up to date Anti-Virus and do a Full System scan on them as well.

[kristell]

Thank you I think I will ask somebody to sort this for me - I don't think it is something I want to do myself. Can you tell me what is the best way to scan my other computer to check that the virus hasn't spread?

[AdvancedSetup]

Any of the Major Anti-Virus programs that are up to date should be able to scan and detect this.

Kaspersky, McAfee, Trend AV, etc

Hopefully you do have an Anti-Virus installed on your system. Check for updates and then have it do a Full System Scan and see what it tells you.

Well then if you're all set here and you'll have someone help you with rebuilding the computer I'll go ahead and close your post soon. Just make sure that in the future you have the computer protected at all times and do proactive data backups as well.

Also take a look at the following article

http://forums.malwarebytes.org/index.php?showtopic=9365

Thank you for contacting Malwarebytes

[kristell]

Yes I have AVG and nothing seems to be untoward so far. I do very much appreciate your help.

[AdvancedSetup]

I would recommend another AV just to verify. AVG is often targeted and is infected itself lately.

Try uninstalling AVG and maybe install Microsoft Security Essentials and update it and do a Full System Scan with it. Then if you really like AVG uninstall MSE and put AVG back.

It's up to you but that would be my suggestion.

[kristell]

Where do I get MSE from?

[AdvancedSetup]

It's free from Microsoft and you can get it from here. Don't install it though with AVG still installed.

http://www.microsoft.com/en-us/security_essentials/default.aspx

[kristell]

Is the best way to uninstall AVG via the control panel and uninstall programmes? Sometimes things still seem to hang around in the background.

[AdvancedSetup]

Yes, I would first try removing via the control panel and then reboot.

Then run their manual removal tool on top of that.

http://www.avg.com/us-en/utilities

Let me know if you have any trouble with it.

Thanks