Any URL with windowsupdate in it is blocked plus getting popups.

Hello,

This computer can not browse to any page (or post a new topic at bleepingcomputer.com) with "windowsupdate" in the URL. Trying to go to Microsoft's windowsupdate or doing any search on windowsupdate get an error page that the server has reset the connection or is not available.

Even trying to post this to bleepingcomputer.net was blocked because it contained windowsupdate.

Also, many pages that don't (verified) use popups are still followed with popups.

Full antivirus and malwarebytes scans cleaned a few things up but the prime problem continued.

I have the DDS and GMER logs.

Ran combofix which forced a reboot because it detected rootkit activity. It deleted some *.tmp.dll files and restored a isapnp.sys file from kitty had a snack. Combofix seems to have cured the problem but I have the log from it if you want it.

Wandering on just how the user got the rootkit and if everything is now cleaned out.

Thanks.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 9:58:52.56 on Sat 06/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1471.728 [GMT -5:00]

AV: AVG Anti-Virus Network Edition *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: SpoofStick: {4d46ed77-1429-4cf6-8f63-c84b5d710baf} - c:\program files\corestreet\spoofstick\SpoofStick.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: windowsupdate.com
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277325325969
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~3\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\rm9hj6wq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\rm9hj6wq.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-4-24 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-4-24 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-4-24 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-4-24 242896]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-3 916760]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-3 308064]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-3 2325816]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2009-12-29 1590216]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2006-7-11 6016]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-4-24 30104]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2009-12-29 10688]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-3 136176]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-6-3 369920]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-4-24 30104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

=============== Created Last 30 ================

2010-06-26 13:51:07 128872 ----a-w- C:\SysSave.nri
2010-06-26 13:40:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Pure Networks
2010-06-26 13:28:58 0 d-----w- C:\Transfer
2010-06-26 13:25:05 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-06-26 13:25:05 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-06-26 13:24:59 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-06-26 13:24:59 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-06-26 13:24:55 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-06-26 13:24:55 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-06-26 13:24:51 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-06-26 13:24:51 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-06-25 20:17:08 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-06-25 20:17:03 0 d-----w- c:\program files\McAfee Security Scan
2010-06-23 21:04:08 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-06-23 21:03:40 0 d-----w- c:\windows\system32\Adobe
2010-06-23 20:50:45 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2010-06-23 20:46:29 57344 -c----w- c:\windows\system32\dllcache\uexfat.dll
2010-06-23 20:46:29 57344 ------w- c:\windows\system32\uexfat.dll
2010-06-23 20:46:28 133632 -c----w- c:\windows\system32\dllcache\exfat.sys
2010-06-23 20:46:28 133632 ------w- c:\windows\system32\drivers\exfat.sys
2010-06-23 20:46:27 278528 -c----w- c:\windows\system32\dllcache\ulib.dll
2010-06-23 20:41:58 104960 -c----w- c:\windows\system32\dllcache\win32spl.dll
2010-06-23 20:41:57 74752 -c----w- c:\windows\system32\dllcache\msw3prt.dll
2010-06-23 20:37:26 9696 -c----w- c:\windows\system32\dllcache\drvmain.sdb
2010-06-23 20:37:25 790846 -c----w- c:\windows\system32\dllcache\apph_sp.sdb
2010-06-23 20:34:26 97280 -c----w- c:\windows\system32\dllcache\psbase.dll
2010-06-23 20:14:01 68096 -c----w- c:\windows\system32\dllcache\ntdsapi.dll
2010-06-23 20:14:01 175104 -c----w- c:\windows\system32\dllcache\w32time.dll
2010-06-23 20:14:00 113152 -c----w- c:\windows\system32\dllcache\dsuiext.dll
2010-06-23 20:13:54 68096 -c----w- c:\windows\system32\dllcache\adsmsext.dll
2010-06-23 20:13:54 407040 -c----w- c:\windows\system32\dllcache\netlogon.dll
2010-06-23 20:11:32 177152 -c----w- c:\windows\system32\dllcache\msctfime.ime
2010-06-23 20:10:51 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-06-23 20:01:00 53248 ----a-w- c:\windows\system32\SSUBTMR6.DLL
2010-06-23 20:01:00 32584 ----a-w- c:\windows\system32\FM20ENU.DLL
2010-06-23 20:01:00 218432 ----a-w- c:\windows\system32\RICHTX32.OCX
2010-06-23 20:01:00 1146184 ----a-w- c:\windows\system32\FM20.DLL
2010-06-23 20:00:59 614992 ----a-w- c:\windows\system32\COMCTL32.OCX
2010-06-03 19:39:12 0 d--h--w- C:\$AVG
2010-06-03 19:38:02 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

==================== Find3M ====================

2010-06-24 15:46:11 1124 ----a-w- c:\docume~1\owner\applic~1\wklnhst.dat
2010-06-03 19:38:50 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 19:38:50 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-03 19:38:37 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-06-03 19:38:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-03 19:38:02 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-06-03 19:38:02 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-05-12 16:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-10-11 14:41:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101120081012\index.dat

============= FINISH: 10:00:35.01 ===============

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.