This computer can not browse to any page (or post a new topic at bleepingcomputer.com) with "windowsupdate" in the URL. Trying to go to Microsoft's windowsupdate or doing any search on windowsupdate get an error page that the server has reset the connection or is not available.
Even trying to post this to bleepingcomputer.net was blocked because it contained windowsupdate.
Also, many pages that don't (verified) use popups are still followed with popups.
Full antivirus and malwarebytes scans cleaned a few things up but the prime problem continued.
I have the DDS and GMER logs.
Ran combofix which forced a reboot because it detected rootkit activity. It deleted some *.tmp.dll files and restored a isapnp.sys file from kitty had a snack. Combofix seems to have cured the problem but I have the log from it if you want it.
Wandering on just how the user got the rootkit and if everything is now cleaned out.
Thanks.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 9:58:52.56 on Sat 06/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1471.728 [GMT -5:00]
AV: AVG Anti-Virus Network Edition *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: SpoofStick: {4d46ed77-1429-4cf6-8f63-c84b5d710baf} - c:\program files\corestreet\spoofstick\SpoofStick.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: windowsupdate.com
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277325325969
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~3\MpShHook.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\rm9hj6wq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\rm9hj6wq.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
============= SERVICES / DRIVERS ===============
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-4-24 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-4-24 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-4-24 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-4-24 242896]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-3 916760]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-3 308064]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-3 2325816]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2009-12-29 1590216]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2006-7-11 6016]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-4-24 30104]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2009-12-29 10688]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-3 136176]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-6-3 369920]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-4-24 30104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
=============== Created Last 30 ================
2010-06-26 13:51:07 128872 ----a-w- C:\SysSave.nri
2010-06-26 13:40:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Pure Networks
2010-06-26 13:28:58 0 d-----w- C:\Transfer
2010-06-26 13:25:05 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-06-26 13:25:05 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-06-26 13:24:59 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-06-26 13:24:59 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-06-26 13:24:55 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-06-26 13:24:55 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-06-26 13:24:51 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-06-26 13:24:51 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-06-25 20:17:08 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-06-25 20:17:03 0 d-----w- c:\program files\McAfee Security Scan
2010-06-23 21:04:08 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-06-23 21:03:40 0 d-----w- c:\windows\system32\Adobe
2010-06-23 20:50:45 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2010-06-23 20:46:29 57344 -c----w- c:\windows\system32\dllcache\uexfat.dll
2010-06-23 20:46:29 57344 ------w- c:\windows\system32\uexfat.dll
2010-06-23 20:46:28 133632 -c----w- c:\windows\system32\dllcache\exfat.sys
2010-06-23 20:46:28 133632 ------w- c:\windows\system32\drivers\exfat.sys
2010-06-23 20:46:27 278528 -c----w- c:\windows\system32\dllcache\ulib.dll
2010-06-23 20:41:58 104960 -c----w- c:\windows\system32\dllcache\win32spl.dll
2010-06-23 20:41:57 74752 -c----w- c:\windows\system32\dllcache\msw3prt.dll
2010-06-23 20:37:26 9696 -c----w- c:\windows\system32\dllcache\drvmain.sdb
2010-06-23 20:37:25 790846 -c----w- c:\windows\system32\dllcache\apph_sp.sdb
2010-06-23 20:34:26 97280 -c----w- c:\windows\system32\dllcache\psbase.dll
2010-06-23 20:14:01 68096 -c----w- c:\windows\system32\dllcache\ntdsapi.dll
2010-06-23 20:14:01 175104 -c----w- c:\windows\system32\dllcache\w32time.dll
2010-06-23 20:14:00 113152 -c----w- c:\windows\system32\dllcache\dsuiext.dll
2010-06-23 20:13:54 68096 -c----w- c:\windows\system32\dllcache\adsmsext.dll
2010-06-23 20:13:54 407040 -c----w- c:\windows\system32\dllcache\netlogon.dll
2010-06-23 20:11:32 177152 -c----w- c:\windows\system32\dllcache\msctfime.ime
2010-06-23 20:10:51 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-06-23 20:01:00 53248 ----a-w- c:\windows\system32\SSUBTMR6.DLL
2010-06-23 20:01:00 32584 ----a-w- c:\windows\system32\FM20ENU.DLL
2010-06-23 20:01:00 218432 ----a-w- c:\windows\system32\RICHTX32.OCX
2010-06-23 20:01:00 1146184 ----a-w- c:\windows\system32\FM20.DLL
2010-06-23 20:00:59 614992 ----a-w- c:\windows\system32\COMCTL32.OCX
2010-06-03 19:39:12 0 d--h--w- C:\$AVG
2010-06-03 19:38:02 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
==================== Find3M ====================
2010-06-24 15:46:11 1124 ----a-w- c:\docume~1\owner\applic~1\wklnhst.dat
2010-06-03 19:38:50 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 19:38:50 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-03 19:38:37 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-06-03 19:38:37 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-03 19:38:02 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-06-03 19:38:02 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-05-12 16:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-10-11 14:41:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101120081012\index.dat
============= FINISH: 10:00:35.01 ===============