Internet Security 2010 - is it gone?

My infected computer is running Widows XP.

I want to make sure I have totally removed Internet Security 2010 from my computer. Every time I thought I got it all I found another file. Can someone take a look at the logs for me please? I'll post every bit of info I have; sorry if it's overkill, but I don't know what might help and what isn't important.

I'm not 100% sure how I got this. I downloaded a file from my yahoo group, but as far as I can tell the document I downloaded is clear of infection. Perhaps it downloaded along with the document? In any case, I switched off my wifi as soon as the alerts began popping up and immediately went to a different computer to find out how to get rid of Internet Security 2010. Following the guides I found, I downloaded Malwarebytes to a flashdrive from my uninfected computer and used that to install it to the infected computer. I didn't want to risk going online with the infected computer. I was unable to reboot in safe mode, so I had to do this with windows running in normal mode.

After having to uninstall and reinstall Malwarebytes repeatedly, I was finally able to get it to open and perform a scan (IS2010 was blocking access to it and giving me errors when I tried to run it previously). Malwarebytes found the infection, I told it to fix the problems it found, and then it asked me to reboot, which I did.

Upon reboot my desktop background was still showing the bogus "your computer is infected" message, the desktop shortcut to IS2010 was still there, and after looking though a bunch of files I found that a few of them were not erased. I erased them manually, and located and removed the wallpaper and the desktop shortcut. I then did a search for all files created today and deleted a few prefetch files that came up as Internet Security 2010 files. After struggling with Malwarebytes some more, I got it to open to run two more scans, which came up clean. As of now I'm not seeing any more signs of the infection, however Malwarebytes is still giving me errors 9 times out of 10 when I try to run it and I am still unable to boot my computer in safe mode.

I went online long enough to download HijackThis and got a log (posted below). I also have the Malwarebytes log from the first scan when my computer was fully infected, and a screenshot of the prefretch files I deleted. I can post those too if they will help.


Log:

Scan saved at 6:18:04 AM, on 1/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Administrator\My Documents\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uhauldealer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USSMB/1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/USSMB/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c9bb1e50d18f36) (gupdate1c9bb1e50d18f36) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: O2FLASH - O2Micro International - C:\WINDOWS\system32\DRIVERS\o2flash.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8181 bytes

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:

1. Click on the My Controls link at the top of the page to enter your control panel.
2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.

Information on A/V control HERE

Due to the lack of feedback, this Topic will now be closed.

If you need this topic reopened, please request this by sending one of the Moderating team or an Administrator
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Topic re-opened as per members request.

Thank you! I apologize for not replying sooner; I didn't get a notification that there was a reply. I am still having problems. I'm at work now but I'll post what you've requested as soon as I get home.

Thanks CCF....the email system is about 95% reliable, but misses happen. I'll be on the lookout for your updated log.

I'm sure I still have something on the computer. On pages that I have FireFox's Adblock turned off, I get popup ads. The ads themselves are still blocked by Adblock once they open, but the popup windows still come up. Also when I do searches and click a link in the results, the links auto redirect about 90% of the time. For now I've enabled the feature on FireFox that prevents pages from auto redirecting, but I still get the message that it's trying to redirect me all the time.

Since the first posting I have upgraded to the newest versions of FireFox, AVG and Adaware, and made sure I have all the updates for those as well as Spybot. After running scans with all of this over and over again I eventually found about 5 trojans that I'm assuming Internet Security 2010 installed. Those are all either healed and removed or sitting in my virus vaults on AVG and Adaware right now. I also found a few things left over from IS2010, which haven't seemed to reinstall themselves after I removed them.

Here is the DDS log as requested:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Beth at 8:30:48.78 on Fri 01/29/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2175 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Beth\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.uhauldealer.com/
uSearch Page = hxxp://www.live.com
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\beth\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: uhauldealer.com\webbest
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\beth\applic~1\mozilla\firefox\profiles\0uo62zj5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\beth\application data\mozilla\firefox\profiles\0uo62zj5.default\extensions\gametapplayer@gametap.com\plugins\npGameTapWebPlayer.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-16 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-2 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-2 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-2 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-17 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-3-26 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-3-26 43608]
S2 gupdate1c9bb1e50d18f36;Google Update Service (gupdate1c9bb1e50d18f36);c:\program files\google\update\GoogleUpdate.exe [2009-4-11 133104]

=============== Created Last 30 ================

2010-01-22 15:37:28 291696 ----a-w- c:\windows\system32\YSys.dll
2010-01-22 15:37:28 0 d-----w- c:\windows\system32\hwswchecker
2010-01-22 15:36:57 0 d-----w- c:\program files\GameTap Web Player
2010-01-22 15:36:20 0 d-----w- c:\docume~1\alluse~1\applic~1\GameTap Web Player
2010-01-17 11:33:01 0 d--h--w- C:\$AVG
2010-01-17 11:32:20 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-16 16:54:18 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-16 16:12:40 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-16 16:11:37 0 d-----w- c:\program files\Lavasoft
2010-01-16 15:57:38 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-16 10:04:23 0 ----a-w- c:\windows\system32\20255.exe
2010-01-16 10:00:30 0 d-----w- c:\docume~1\beth\applic~1\Malwarebytes
2010-01-16 10:00:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-13 00:16:28 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-17 11:32:47 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-17 11:32:47 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-17 11:32:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 8:31:57.70 ===============

Hello, CCF.
OK, we need to take a deeper look. You also mentioned errors when you run MBAM, what kind of errors are you getting?

Please make sure to disable all your spyware programs when you run GMER as they may interfere. Please also follow these guidelines now that we are working together:

• Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
• Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
• Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
• Please reply within 3 days to be fair to other people asking for help.
• When in doubt, please stop and ask first. There's no harm in asking questions!

I am a senior trainee, so my fix will be checked by a staff member. This may result in an extra day before I can reply.




Step 1

1. We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.

1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
2. If prompted with a legal dialog, accept the warning.
3. Click and then on "Advanced Mode"
   
4. You may be presented with a warning dialog. If so, press
5. Click on
6. Click on
7. Uncheck this checkbox:
   
8. Close/Exit Spybot Search and Destroy

Step 2

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.



Step 3

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\20255.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



Step 4

In your reply, please include the GMER log and the results from the virus scan of that file.

I'm having a problem with the GMER log. I downloaded it, turned off all the protection, and ran the scan as you said to. The problem is that once the scan finishes the computer completely freezes so I'm unable to save the log or even so much as take a screen shot of the results. I've tried doing this scan twice and both times it has completely locked up the computer. I'm also unable to run it in safe mode because ever since I got the virus I get an error when I try to start in safe mode. This is the error I get when trying to start in safe mode:

"A problem has been detected and Windows has been shut down to prevent damage to your computer.

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you've seen this stop error screen, restart your
computer. If this screen appears again follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation ask your hardware or software manufacturer for any windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need use safe mode to remove or disable components, restart your computer press F8 to select Advanced Startup Options and then select Safe Mode.

Technical information:

*** STOP: 0x00000050 (0xc796A4DC, 0x00000001, 0x80537009, 0x00000000)"

Hello, CCF.
OK, that happens with some malware. Please don't forget to Jotti that file if it exists.

Instead of GMER, please do the following.

1. Please download MBR.EXE by GMER. Save the file in your root directory. (C:\)
2. Open Notepad and copy and paste the text in the codebox below (excluding the word Code) into Notepad.
   
   CODE
   @echo off
   cd\
   mbr.exe -t
   start mbr.log
3. Next, select File --> Save As, change file type to All Files (*.*), and save it as fixme.bat in your c:\ folder.
4. Open your c:\folder and double-click on fixme.bat. A logfile will open (C:\mbr.log). Please paste the contents in your next reply.

I did the Jotti scan. The file c:\windows\system32\20255.exe does exist, but the result showed it has 0 bytes. I tried again with Virustotal and it also showed 0 bytes.

---

I was already trying that GMER scan again when I saw your last message. Since I already had the scan on the screen I went ahead and manually typed up the results it showed in case it locked up the computer again when I tried to save it (which it did). I'm not sure if this will help at all, but just in case, here is what the scan showed (sorry about the format, I wasn't sure how else to type it):

Type: SSDT Name: Lbd.sys(Boot Driver/Lavasoft AB) Value: ZwCreateKey [0xBA0F887E]

Type: SSDT Name: Lbd.sys(Boot Driver/Lavasoft AB) Value: ZwSetValueKey [0xBA0F8BFE]

Type: .rsrc Name: C:\\WINDOWS\system32\drivers\iaStor.sys Value: entry point in ".rsrc" section [0xB9F08000]

Type: .text Name: C:\\WINDOWS\system32\SearchIndexer.exe[2152] kernal32.dll!WriteFile Value: 7C810E27 7 Bytes JMP 00585C0C C:\\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

Type: AttachedDevice Name: \Driver\Tcpip \Device\Ip Value: avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Type: AttachedDevice Name: \Driver\Tcpip \Device\Tcp Value: avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Type: Device Name: \Driver\iaStor \Device\Ide\iaStor0 Value: [B9E888D6] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Type: Device Name: \Driver\iaStor \Device\Ide\IAAStorageDevice-0 Value: [B9E888D6] iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Type: AttachedDevice Name: \Driver\Tcpip \Device\Upd Value: avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Type: AttachedDevice Name: \Driver\Tcpip \Device\RawIp Value: avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Type: Device Name: \FileSystem\FastFat \Fat Value: 97496D20

Type: AttachedDevice Name: \FileSystem\FastFat \Fat Value: fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Type: Device Name: \FileSystem\Cdfs \Cdfs Value: DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

Type: File Name: C:\WINDOWS\system32\drivers\iaStor.sys Value: suspicious modification

---

Here is the contents of the MBR.exe thing you had me do. Should I remove those files from my computer now or wait?:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys >>UNKNOWN [0x8A4BF8C8]<<
kernel: MBR read successfully
user & kernel MBR OK

I have it uninstalled right now and I don't recall the exact error message. I can reinstall it and see if I can get it to work (or give me an error) if you want. When I used it before I had to keep uninstalling and reinstalling it to get it to work, otherwise it wouldn't even open. I'd click it and it just wouldn't do anything. I read on a few sites that IS2010 can block virus and spyware/malware programs from working properly so I assumed that was the problem. Once I did finally get it to run, however, I could only run it once because after that it gave me an error when I tried to use it.

Hello, CCF.
OK, leave MBAM off for now. Those kind of errors are pretty typical with malware on your machine.

And thanks for typing out the GMER log. Sorry I didn't catch you sooner, but both of them show a backdoor rootkit still on your system from the IS2010.



One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



Step 1

Next, please download ComboFix from one of these locations:

• Bleepingcomputer
  
• ForoSpyware

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.



Step 2

In your reply, please post:

• Combofix log
• Description of any remaining issues and any issues that have been solved.

-_- I was afraid of that. I've seen other people with IS2010 get the same result, but I was hoping I got to it in time. It's a fairly new computer, too.

I have done banking on this computer in the past and paypal, but I haven't gone near it since I got the virus(es) and I don't have the password stored on the computer. I have logged into various email accounts and websites though. Should I change all of my passwords on everything, or just those that I have logged into lately? Should I still notify my bank?

I do have the OS CD that came with the computer and one of my family members who works on computers says he can reformat the drive and reinstall everything for me. Will it be okay after that or should I still not do any banking or save any personal details on it from this point on? Also, should we, you and I, go ahead and finish trying to get rid of it before I get everything wiped and reinstalled or will doing that take care of it? There are some files, mostly word documents, that I absolutely must have off that computer. Is it safe to save them to a flash drive and put them back on the computer after windows is reinstalled or is there a safer way to do it?

Hello, CCF.
If you have not stored the password or entered it since you were infected, you should be OK, but I still recommend to change all of them. If you monitor your bank account and paypal, you can spot the fraud if it happens, but you still may want to call them so they can note that you may have had a security breach. That's up to you. It's important to note that it should be reformatted, just not reinstalled. That's an important step to ensure it is gone. That is the only sure way to remove this virus. If you are able, you can save some documents to a flash drive. I recommend this step to help keep you from automatically infecting your clean computer. Note that this is not an antivirus and the files may be infected, but it will keep it from automatically running the second you plug your flash drive into your clean computer.



Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
• Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.



Please bear in mind that many files can harbor infections. I recommend you only back up word documents, pictures and the like, not full programs. Please scan them from your clean computer before opening with an up-to-date antivirus program. That will help to keep your other computer clean. If you are going to reformat and can pull off your documents, there is no need to continue trying to fix this machine.

If you do decide to reformat, please read these first:

Here's a good article on how to reformat:
When Should I Format, How Should I Reinstall

Also, to protect yourself against malware and reduce your chance of reinfection in the future, I strongly recommend to have a look at following links (giving some advice and tips):

• How Did I Get Infected?
• Simple and easy ways to keey your computer safe and secure on the Internet
• miekiemoes' prevention suggestions
• Hardening Windows Security Guide - Part 1 & Hardening Windows Security Guide - Part 2

Please let me know what you decide...if you want to reformat, or if you want to continue this log. Thanks!