Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Requested logs for Google redirect. (Possible TDSS)


  • This topic is locked This topic is locked
9 replies to this topic

#1 sysygysd

sysygysd

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 14 April 2010 - 05:17 PM

Here are the logs that were requested by Boopme. What really tipped me off to this infection was that Chrome stopped loading any pages. Also, I have redirect issues in IE and Firefox.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Todd at 16:57:17.62 on Wed 04/14/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_19
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2302.1196 [GMT -5:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\brsvc01a.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\brss01a.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\System32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eDSMSNfix.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Users\Todd\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Users\Todd\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Todd\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: Disabled:{02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Disabled:{0347C33E-8762-4905-BF09-768834316C61} - No File
BHO: Disabled:{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Disabled:{53707962-6F74-2D53-2644-206D7942484F} - No File
BHO: Disabled:{5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Disabled:{6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No File
BHO: Disabled:{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
BHO: Disabled:{9030D464-4C02-4ABF-8ECC-5164760863C6} - No File
BHO: Disabled:{E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - No File
BHO: Disabled:{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - No File
BHO: Disabled:{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [cdloader] "c:\users\todd\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [ehTray.exe] "c:\windows\ehome\ehTray.exe"
uRun: [googletalk] "c:\users\todd\appdata\roaming\google\google talk\googletalk.exe" /autostart
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [Google Update] "c:\users\todd\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] "c:\program files\superantispyware\SUPERAntiSpyware.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [RtHDVCpl] "RtHDVCpl.exe"
mRun: [eDataSecurity Loader] "c:\acer\empowering technology\edatasecurity\eDSloader.exe"
mRun: [eDSMSNfix] "c:\acer\empowering technology\eDSMSNfix.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [hpqSRMon] "c:\program files\hp\digital imaging\bin\hpqSRMon.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [DiscWizardMonitor.exe] "c:\program files\seagate\discwizard\DiscWizardMonitor.exe"
mRun: [AcronisTimounterMonitor] "c:\program files\seagate\discwizard\TimounterMonitor.exe"
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll c:\windows\system32\avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\users\todd\appdata\roaming\mozilla\firefox\profiles\q93sw3or.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - component: c:\users\todd\appdata\roaming\mozilla\firefox\profiles\q93sw3or.default\extensions\{d02b1e87-a8c6-433f-9b5c-2cec4a072736}\components\susfox3.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\todd\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\todd\appdata\local\microsoft\internet explorer\downloaded program files\npsoe.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.14
============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrw7x;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSwx.sys [2010-4-11 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-4-11 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-11 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-11 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-11 242696]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2007-3-16 50688]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-4-11 916760]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-11 308064]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-4-11 5888008]
R2 Maxtor Sync Services;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2008-8-5 181600]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-3-19 1153368]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-10-16 431456]
R3 AVGIDSDriverw7x;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSDriver.sys [2010-4-11 122376]
R3 AVGIDSFilterw7x;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSFilter.sys [2010-4-11 30216]
R3 AVGIDSShimw7x;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSShim.sys [2010-4-11 20488]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-4-14 35816]
S2 gupdate1c98d867d991e28;Google Update Service (gupdate1c98d867d991e28);c:\program files\google\update\GoogleUpdate.exe [2009-2-12 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-9-4 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-12-19 16472]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2009-1-20 9472]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-2 1343400]

=============== Created Last 30 ================

2010-04-14 21:53:58 0 ----a-w- c:\users\todd\defogger_reenable
2010-04-14 21:31:47 3400 ------w- C:\bootsqm.dat
2010-04-14 21:19:07 2 --shatr- c:\windows\winstart.bat
2010-04-14 21:18:45 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-04-14 21:18:45 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-04-14 21:18:26 12752 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-04-14 21:18:05 0 d-----w- c:\program files\UnHackMe
2010-04-14 20:59:37 0 d-----w- c:\program files\Sophos
2010-04-14 17:50:34 0 d-sh--w- C:\$RECYCLE.BIN
2010-04-14 17:27:16 0 d-----w- C:\turkey
2010-04-14 16:12:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 16:12:12 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-14 16:12:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 16:07:00 0 d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2010-04-14 05:21:19 283052876 ----a-w- c:\windows\MEMORY.DMP
2010-04-14 05:20:13 0 d-----w- c:\users\todd\DoctorWeb
2010-04-14 03:52:00 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 03:51:59 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-14 02:18:22 61543789 ----a-w- c:\windows\system32\XIMZJX
2010-04-13 03:17:13 0 --sha-w- C:\ProgramData.LOG2
2010-04-13 03:17:13 0 --sha-w- C:\ProgramData.LOG1
2010-04-13 03:14:00 0 d-----w- c:\program files\Microsoft Security Essentials
2010-04-13 02:29:38 0 d-----w- c:\program files\MSSOAP
2010-04-13 02:29:38 0 d-----w- c:\program files\common files\MSSoap
2010-04-13 02:29:21 0 d-----w- c:\program files\Webroot
2010-04-13 02:25:17 164 ----a-w- c:\windows\install.dat
2010-04-13 02:09:49 45 ----a-w- c:\windows\system32\_WKERNEL.SYL
2010-04-13 02:09:37 56496 ----a-w- c:\windows\system32\wbhelp2.dll
2010-04-13 02:09:37 544768 ----a-w- c:\windows\system32\wbocx.ocx
2010-04-13 02:09:37 258352 ----a-w- c:\windows\system32\unicows.dll
2010-04-13 02:09:36 4608 ----a-w- c:\windows\system32\W95INF32.DLL
2010-04-13 02:09:36 439 ----a-w- c:\windows\system32\shfolder.inf
2010-04-13 02:09:36 33968 ----a-w- c:\windows\system32\anim.dll
2010-04-13 02:09:36 2272 ----a-w- c:\windows\system32\W95INF16.DLL
2010-04-13 02:09:36 0 d-----w- c:\program files\WinUtilities
2010-04-12 23:49:02 0 d-----w- c:\programdata\F-Secure
2010-04-12 17:59:53 261632 ----a-w- c:\windows\PEV.exe
2010-04-12 17:03:36 0 d-----w- c:\program files\BHODemon 2
2010-04-12 02:28:05 0 d-----w- c:\programdata\Sun
2010-04-12 02:17:17 0 d-----w- c:\users\todd\appdata\roaming\SUPERAntiSpyware.com
2010-04-12 02:17:17 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-12 02:16:08 0 d-----w- c:\program files\Windows Installer Clean Up
2010-04-12 02:15:30 0 d-----w- c:\program files\MSECACHE
2010-04-11 22:21:30 0 d-----w- C:\$AVG
2010-04-11 20:05:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-11 19:47:00 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-11 19:46:59 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-11 19:46:53 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-11 19:46:49 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-11 19:46:05 25096 ----a-w- c:\windows\system32\drivers\AVGIDSwx.sys
2010-04-11 19:33:39 65536 --sha-w- c:\users\todd\NTUSER.DAT{07db80c1-45a1-11df-97aa-001b24490565}.TM.blf
2010-04-11 19:33:39 524288 --sha-w- c:\users\todd\NTUSER.DAT{07db80c1-45a1-11df-97aa-001b24490565}.TMContainer00000000000000000002.regtrans-ms
2010-04-11 19:33:39 524288 --sha-w- c:\users\todd\NTUSER.DAT{07db80c1-45a1-11df-97aa-001b24490565}.TMContainer00000000000000000001.regtrans-ms
2010-04-11 19:09:43 24128 ----a-w- C:\atapi.sys
2010-04-11 03:17:17 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-11 03:11:10 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-11 03:11:04 0 d-----w- c:\programdata\Hitman Pro
2010-04-10 17:48:31 98816 ----a-w- c:\windows\sed.exe
2010-04-10 17:48:31 77312 ----a-w- c:\windows\MBR.exe
2010-04-10 17:48:31 161792 ----a-w- c:\windows\SWREG.exe
2010-04-10 16:54:18 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-09 21:24:16 3519 ----a-w- c:\windows\system32\hcri
2010-04-08 22:57:44 0 d-----w- c:\programdata\FLEXnet
2010-04-08 19:45:49 20 ----a-w- c:\windows\system32\SYSTEM
2010-04-08 18:14:13 0 d-----w- c:\temp\Temp
2010-04-02 19:26:59 0 d-----w- c:\windows\system32\Wat
2010-03-31 01:46:50 977920 ----a-w- c:\windows\system32\wininet.dll
2010-03-25 02:46:58 5115983 ----a-w- c:\windows\system32\SamsungPST_SCHU960.dll
2010-03-25 02:45:03 0 d-----w- c:\program files\Samsung Electronics
2010-03-20 15:49:57 1885536 ----a-w- c:\windows\system32\AutoPartNt.exe
2010-03-20 15:49:57 1024 ----a-w- c:\windows\system32\AutoPartNt.let
2010-03-20 15:38:09 0 d-----w- c:\programdata\Seagate
2010-03-20 15:38:05 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2010-03-20 15:38:05 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-03-20 15:38:02 132224 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-03-20 15:37:58 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2010-03-20 15:37:29 0 d-----w- c:\program files\Seagate
2010-03-20 15:37:29 0 d-----w- c:\program files\common files\Seagate
2010-03-19 00:22:25 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-03-16 20:07:59 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2010-03-16 01:25:51 0 d-----w- c:\users\todd\appdata\roaming\Malwarebytes
2010-03-16 01:25:44 0 d-----w- c:\programdata\Malwarebytes

==================== Find3M ====================

2010-04-14 16:55:04 21584 ------w- c:\windows\system32\drivers\atapi.sys
2010-04-12 02:27:24 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-11 16:47:43 21584 ----a-w- c:\windows\system32\drivers\atapi.sys.vir
2010-02-24 15:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-02 07:45:54 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-20 15:20:01 23111 ----a-w- c:\windows\hpqins15.dat
2010-01-18 23:29:31 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-18 23:29:31 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-18 23:29:31 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-18 23:29:30 369152 ----a-w- c:\windows\system32\secproc.dll
2010-01-18 23:28:33 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-18 23:28:33 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-18 23:28:30 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-18 23:28:30 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 16:58:28.65 ===============



gmer...
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-14 17:11:08
Windows 6.1.7600
Running: xgpuk650.exe; Driver: C:\Users\Todd\AppData\Local\Temp\afliiaob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwOpenProcess [0x98082730]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateProcess [0x980827E0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateThread [0x98082880]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwWriteVirtualMemory [0x98082920]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E24AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E24104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E243F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E0D2D8
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E241DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E24958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E246F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E24F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E251A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82E845C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EA9052 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 518 82EB0B18 4 Bytes [30, 27, 08, 98]
.text ntkrnlpa.exe!RtlSidHashLookup + 7E8 82EB0DE8 8 Bytes [E0, 27, 08, 98, 80, 28, 08, ...] {LOOPNZ 0x29; OR [EAX-0x67f7d780], BL}
.text ntkrnlpa.exe!RtlSidHashLookup + 85C 82EB0E5C 4 Bytes [20, 29, 08, 98]
.rsrc C:\Windows\System32\drivers\volmgrx.sys entry point in ".rsrc" section [0x898DE014]
.text peauth.sys A2A1EC9D 28 Bytes [CF, B5, A7, 47, 85, 1F, D0, ...]
.text peauth.sys A2A1ECC1 28 Bytes [CF, B5, A7, 47, 85, 1F, D0, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[984] ntdll.dll!NtProtectVirtualMemory 77A85360 5 Bytes JMP 0090000A
.text C:\Program Files\Internet Explorer\iexplore.exe[984] ntdll.dll!NtWriteVirtualMemory 77A85EE0 5 Bytes JMP 0095000A
.text C:\Program Files\Internet Explorer\iexplore.exe[984] ntdll.dll!KiUserExceptionDispatcher 77A86448 5 Bytes JMP 002F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!CreateDialogParamW 763B9BFF 5 Bytes JMP 67C4C548 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!EnableWindow 763BA72E 5 Bytes JMP 67C4C4C3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!GetAsyncKeyState 763BC09A 5 Bytes JMP 67C0D6C9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!UnhookWindowsHookEx 763BCC7B 5 Bytes JMP 67D082FA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!CallNextHookEx 763BCC8F 5 Bytes JMP 67CE9D00 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!CreateWindowExW 763C0E51 5 Bytes JMP 67CF80F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!SetWindowsHookExW 763C210A 5 Bytes JMP 67CA45DB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!GetKeyState 763C4FDA 5 Bytes JMP 67C4D73A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!IsDialogMessageW 763C6F06 5 Bytes JMP 67C1425C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!CreateDialogParamA 763D3E79 5 Bytes JMP 67E1FE19 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!IsDialogMessage 763D407A 5 Bytes JMP 67E1F6BA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!CreateDialogIndirectParamA 763D9110 5 Bytes JMP 67E1FE50 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!CreateDialogIndirectParamW 763E08AD 5 Bytes JMP 67E1FE87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!DialogBoxIndirectParamW 763E4AA7 5 Bytes JMP 67E1F218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!EndDialog 763E555C 5 Bytes JMP 67C15AC1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!DialogBoxParamW 763E564A 5 Bytes JMP 67C14B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!SetKeyboardState 763E6B52 5 Bytes JMP 67E1FA1F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!SendInput 763E7055 5 Bytes JMP 67E205E8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!SetCursorPos 763FC1D8 5 Bytes JMP 67E20640 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!DialogBoxParamA 763FCF6A 5 Bytes JMP 67E1F1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!DialogBoxIndirectParamA 763FD29C 5 Bytes JMP 67E1F27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!MessageBoxIndirectA 7640E8C9 5 Bytes JMP 67E1F14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!MessageBoxIndirectW 7640E9C3 5 Bytes JMP 67E1F0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!MessageBoxExA 7640EA29 5 Bytes JMP 67E1F07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!MessageBoxExW 7640EA4D 5 Bytes JMP 67E1F01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] USER32.dll!keybd_event 7640EC9B 5 Bytes JMP 67E20973 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] SHELL32.dll!SHChangeNotification_Lock + 45BE 765EB3D8 4 Bytes [11, 36, 04, 6A] {ADC [ESI], ESI; ADD AL, 0x6a}
.text C:\Program Files\Internet Explorer\iexplore.exe[984] SHELL32.dll!SHChangeNotification_Lock + 45C6 765EB3E0 8 Bytes [5F, 35, 04, 6A, D0, 73, 03, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[984] ole32.dll!OleLoadFromStream 75E95B88 5 Bytes JMP 67E1F576 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[984] ole32.dll!CoCreateInstance 75EE57FC 5 Bytes JMP 67CF8BE5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtProtectVirtualMemory 77A85360 5 Bytes JMP 002B000A
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtWriteVirtualMemory 77A85EE0 5 Bytes JMP 002C000A
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!KiUserExceptionDispatcher 77A86448 5 Bytes JMP 002A000A
.text C:\Windows\system32\svchost.exe[1216] ole32.dll!CoCreateInstance 75EE57FC 5 Bytes JMP 0152000A
.text C:\Windows\system32\svchost.exe[1216] USER32.dll!GetCursorPos 763BC198 5 Bytes JMP 0153000A
.text C:\Windows\Explorer.EXE[2464] ntdll.dll!NtProtectVirtualMemory 77A85360 5 Bytes JMP 008D000A
.text C:\Windows\Explorer.EXE[2464] ntdll.dll!NtWriteVirtualMemory 77A85EE0 5 Bytes JMP 008E000A
.text C:\Windows\Explorer.EXE[2464] ntdll.dll!KiUserExceptionDispatcher 77A86448 5 Bytes JMP 0038000A
.text C:\Program Files\Internet Explorer\iexplore.exe[6432] ntdll.dll!NtProtectVirtualMemory 77A85360 5 Bytes JMP 015B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[6432] ntdll.dll!NtWriteVirtualMemory 77A85EE0 5 Bytes JMP 015C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[6432] ntdll.dll!KiUserExceptionDispatcher 77A86448 5 Bytes JMP 015A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[6432] USER32.dll!CreateWindowExW 763C0E51 5 Bytes JMP 67CF80F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6432] USER32.dll!DialogBoxIndirectParamW 763E4AA7 5 Bytes JMP 67E1F218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6432] USER32.dll!DialogBoxParamW 763E564A 5 Bytes JMP 67C14B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6432] USER32.dll!DialogBoxParamA 763FCF6A 5 Bytes JMP 67E1F1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6432] USER32.dll!DialogBoxIndirectParamA 763FD29C 5 Bytes JMP 67E1F27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6432] USER32.dll!MessageBoxIndirectA 7640E8C9 5 Bytes JMP 67E1F14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6432] USER32.dll!MessageBoxIndirectW 7640E9C3 5 Bytes JMP 67E1F0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6432] USER32.dll!MessageBoxExA 7640EA29 5 Bytes JMP 67E1F07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6432] USER32.dll!MessageBoxExW 7640EA4D 5 Bytes JMP 67E1F01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] ntdll.dll!NtProtectVirtualMemory 77A85360 5 Bytes JMP 0013000A
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] ntdll.dll!NtWriteVirtualMemory 77A85EE0 5 Bytes JMP 0014000A
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] ntdll.dll!KiUserExceptionDispatcher 77A86448 5 Bytes JMP 0012000A
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!CreateDialogParamW 763B9BFF 5 Bytes JMP 67C4C548 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!EnableWindow 763BA72E 5 Bytes JMP 67C4C4C3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!GetAsyncKeyState 763BC09A 5 Bytes JMP 67C0D6C9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!UnhookWindowsHookEx 763BCC7B 5 Bytes JMP 67D082FA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!CallNextHookEx 763BCC8F 5 Bytes JMP 67CE9D00 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!CreateWindowExW 763C0E51 5 Bytes JMP 67CF80F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!SetWindowsHookExW 763C210A 5 Bytes JMP 67CA45DB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!GetKeyState 763C4FDA 5 Bytes JMP 67C4D73A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!IsDialogMessageW 763C6F06 5 Bytes JMP 67C1425C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!CreateDialogParamA 763D3E79 5 Bytes JMP 67E1FE19 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!IsDialogMessage 763D407A 5 Bytes JMP 67E1F6BA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!CreateDialogIndirectParamA 763D9110 5 Bytes JMP 67E1FE50 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!CreateDialogIndirectParamW 763E08AD 5 Bytes JMP 67E1FE87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!DialogBoxIndirectParamW 763E4AA7 5 Bytes JMP 67E1F218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!EndDialog 763E555C 5 Bytes JMP 67C15AC1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!DialogBoxParamW 763E564A 5 Bytes JMP 67C14B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!SetKeyboardState 763E6B52 5 Bytes JMP 67E1FA1F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!SendInput 763E7055 5 Bytes JMP 67E205E8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!SetCursorPos 763FC1D8 5 Bytes JMP 67E20640 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!DialogBoxParamA 763FCF6A 5 Bytes JMP 67E1F1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!DialogBoxIndirectParamA 763FD29C 5 Bytes JMP 67E1F27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!MessageBoxIndirectA 7640E8C9 5 Bytes JMP 67E1F14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!MessageBoxIndirectW 7640E9C3 5 Bytes JMP 67E1F0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!MessageBoxExA 7640EA29 5 Bytes JMP 67E1F07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!MessageBoxExW 7640EA4D 5 Bytes JMP 67E1F01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] USER32.dll!keybd_event 7640EC9B 5 Bytes JMP 67E20973 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] SHELL32.dll!SHChangeNotification_Lock + 45BE 765EB3D8 4 Bytes [11, 36, 04, 6A] {ADC [ESI], ESI; ADD AL, 0x6a}
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] SHELL32.dll!SHChangeNotification_Lock + 45C6 765EB3E0 8 Bytes [5F, 35, 04, 6A, D0, 73, 03, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] ole32.dll!OleLoadFromStream 75E95B88 5 Bytes JMP 67E1F576 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[8024] ole32.dll!CoCreateInstance 75EE57FC 5 Bytes JMP 67CF8BE5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000054 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 85F58AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Officejet J4680 Series@ChangeID 633984

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\drivers\volmgrx.sys suspicious modification
File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:25 PM

Posted 14 April 2010 - 05:37 PM

Hello, sysygysd

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



Looks like the newer variant of TDL3, let's do this:

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    volmgrx.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 sysygysd

sysygysd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 14 April 2010 - 06:30 PM

Here you go...

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:29 on 14/04/2010 by Todd (Administrator - Elevation successful)

========== filefind ==========

Searching for "volmgrx.sys"
C:\Windows\System32\drivers\volmgrx.sys --a--- 297040 bytes [23:11 13/07/2009] [01:19 14/07/2009] B5BB72067DDDDBBFB04B2F89FF8C3C87
C:\Windows\winsxs\x86_microsoft-windows-dynamicvolumemanager_31bf3856ad364e35_6.1.7600.16385_none_dcd91825e77c6c5d\volmgrx.sys --a--- 297040 bytes [23:11 13/07/2009] [01:19 14/07/2009] B5BB72067DDDDBBFB04B2F89FF8C3C87

-=End Of File=-

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:25 PM

Posted 14 April 2010 - 07:41 PM

Ok,

We need to copy a file now, so please locate:

C:\Windows\winsxs\x86_microsoft-windows-dynamicvolumemanager_31bf3856ad364e35_6.1.7600.16385_none_dcd91825e77c6c5d\volmgrx.sys
Right click that file and hit "copy"
Then paste it at C:\

Note -- Its highly important you get that right, let me know if you have any problems or questions.

File Replacement via Windows 7 Recovery Environment

We need to replace that file manually:
  1. Access the Windows 7 Recovery Environment Command Prompt as outlined in this tutorial.
  2. At the command prompt, type the following bolded text, and press Enter:

    cd C:\Windows\System32\drivers

  3. At the next prompt type the following bolded text, and press Enter:

    ren volmgrx.sys volmgrx.vir

  4. At the next prompt type the following bolded text, and press Enter:

    copy C:\volmgrx.sys volmgrx.sys

  5. The command should then show 1 file(s) copied
  6. At the next prompt type the following bolded text, and press Enter:

    exit
Windows will now begin loading.

Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Edited by Jat90, 14 April 2010 - 07:42 PM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 sysygysd

sysygysd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 14 April 2010 - 08:45 PM

1 file copied...

New GMER log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-14 20:42:19
Windows 6.1.7600
Running: xgpuk650.exe; Driver: C:\Users\Todd\AppData\Local\Temp\afliiaob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwOpenProcess [0x90A22730]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateProcess [0x90A227E0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwTerminateThread [0x90A22880]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN7\AVGIDSShim.sys ZwWriteVirtualMemory [0x90A22920]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83247AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83247104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832473F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832302D8
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832471DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83247958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832476F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83247F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832481A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82E605C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E85052 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 518 82E8CB18 4 Bytes [30, 27, A2, 90]
.text ntkrnlpa.exe!RtlSidHashLookup + 7E8 82E8CDE8 8 Bytes [E0, 27, A2, 90, 80, 28, A2, ...] {LOOPNZ 0x29; MOV [0xa2288090], AL; NOP }
.text ntkrnlpa.exe!RtlSidHashLookup + 85C 82E8CE5C 4 Bytes [20, 29, A2, 90]
.text peauth.sys 9F81BC9D 28 Bytes [5E, 0C, 6A, CA, D4, BD, DF, ...]
.text peauth.sys 9F81BCC1 28 Bytes [5E, 0C, 6A, CA, D4, BD, DF, ...]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000054 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----


#6 sysygysd

sysygysd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 14 April 2010 - 09:46 PM

A few odd things since my last post:

Started Chrome: =BSOD and restart
After restart, Windows Update pulled down 6 updates and installed. Before another restart, Msft Sec Essentials stopped and disabled ?/Alureon?. Another restart, updates finished. Chrome started just fine. It hasn't worked right in over a week...

So what do think next? MBAM (or something similar)?

Todd

#7 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:25 PM

Posted 15 April 2010 - 03:56 AM

Hello,

Your redirect issues should now be resolved, let's proceed with MBAM:

Malwarebytes Anti-Malware

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Edited by Jat90, 15 April 2010 - 06:15 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#8 sysygysd

sysygysd
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 15 April 2010 - 09:10 AM

Everything appears to be back to normal. Heck, I'm even posting this reply from Chrome. Thank you for your help. thumbup.gif

That was one nasty bug....

MBAM log

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3989

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/15/2010 12:08:30 AM
mbam-log-2010-04-15 (00-08-30).txt

Scan type: Quick scan
Objects scanned: 117791
Time elapsed: 7 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#9 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:25 PM

Posted 15 April 2010 - 11:50 AM

Yeah, it was the TDL3 Rootkit. This rootkit has backdoor functionalities, I maybe should have informed you about it at the start but hear this warning:

nuke.gif Backdoor Threat

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

This machine is clean but I can't guarantee that it will be 100% secure afterwards.

There is still a couple of things I'd like to do before we can close this topic but let me know if you decide to reinstall.

ReScan

Please rescan with DDS and post DDS.txt
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:25 PM

Posted 19 April 2010 - 05:30 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users