Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer won't work


  • This topic is locked This topic is locked
13 replies to this topic

#1 greeeeega

greeeeega

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 21 November 2010 - 09:17 AM

Hi there, so for a while now when I open an IE browser, it gives me a message saying that IE cannot display the webpage. Google Chrome also has the same problem. I can, however, use firefox. I would like to down load the full WOW on this laptop, but the WOW installer also gives me a message saying that it cannot connect to the internet.

When I try to diagnose the IE problem, it tells me that:

'Windows cannot connect to the internet using HTTP, HTTPS, or FTP. This is probably caused by firewall settings on this computer. Check the firewall settings for the HTTP port (80), HTTPS port (443) and FTP port (21).'

a) I've opened all of these ports.
B) I've tried disabling my firewalls.
c) I've run ccleaner, ad-aware, avg scan and spybot, and none of these has fixed the problem.

There is a thread here (http://forums.techguy.org/web-email/537696-http-80-https-443-ftp.html) [I haven't posted on this forum] of people who have had the same problem, and most seem to be solved via either removing Norton Antivirus (which I've never had) or removing malware. I would like to try and use hijackthis to try and remove any malware and would like some advice.

Thanks in advance for any help! Below are my Hijackthis scan log and my DDS log.

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:15:19, on 21/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Gregor.TIMMYTHELAPTOP\My Documents\Downloads\aso3setup_downloadcom_ppd.exe
C:\Documents and Settings\Gregor.TIMMYTHELAPTOP\My Documents\Downloads\avg_free_stb_all_2011_1153_cnet.exe
C:\DOCUME~1\GREGOR~1.TIM\LOCALS~1\Temp\7zS37.tmp\avgmfapx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
C:\WINDOWS\system32\rsvp.exe
C:\Documents and Settings\Gregor.TIMMYTHELAPTOP\Desktop\Hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} (FBootloaderAX) - http://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.vexcast.com/download/vexcast.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3EABB9EA-7DCC-462B-8FF8-ABC270908802}: NameServer = 93.188.162.74,93.188.161.7
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.74,93.188.161.7
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.74,93.188.161.7
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 5376 bytes


!!!!!!!!!DDS!!!!!!!!!

DDS (Ver_10-11-10.01) - NTFSx86
Run by Gregor at 13:14:49.59 on 21/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.447.119 [GMT 0:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Gregor.TIMMYTHELAPTOP\My Documents\Downloads\aso3setup_downloadcom_ppd.exe
C:\Documents and Settings\Gregor.TIMMYTHELAPTOP\My Documents\Downloads\avg_free_stb_all_2011_1153_cnet.exe
C:\DOCUME~1\GREGOR~1.TIM\LOCALS~1\Temp\7zS37.tmp\avgmfapx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Gregor.TIMMYTHELAPTOP\Desktop\Hijackthis\HijackThis.exe
C:\Documents and Settings\Gregor.TIMMYTHELAPTOP\My Documents\Downloads\Defogger.exe
C:\Documents and Settings\Gregor.TIMMYTHELAPTOP\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.162.74,93.188.161.7
TCP: {3EABB9EA-7DCC-462B-8FF8-ABC270908802} = 93.188.162.74,93.188.161.7
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-11-20 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1355928]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15008]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-16 136176]

=============== Created Last 30 ================

2010-11-21 12:08:05 -------- dc----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2010-11-21 12:08:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-21 00:59:46 -------- dc----w- c:\docume~1\alluse~1.win\applic~1\MFAData
2010-11-21 00:54:56 -------- d-----w- c:\docume~1\gregor~1.tim\applic~1\Systweak
2010-11-21 00:01:12 -------- d-----w- c:\windows\Internet Logs
2010-11-20 21:09:57 -------- dc----w- c:\docume~1\alluse~1.win\applic~1\Kaspersky SDK
2010-11-20 19:04:39 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-20 16:43:28 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-20 16:40:59 -------- dc-h--w- c:\docume~1\alluse~1.win\applic~1\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-20 16:38:34 -------- d-----w- c:\program files\Lavasoft
2010-11-20 09:01:53 -------- d-----w- c:\docume~1\gregor~1.tim\applic~1\GameRanger
2010-11-19 19:03:46 -------- d-----w- c:\docume~1\gregor~1.tim\applic~1\BitComet
2010-11-19 19:03:42 -------- d-----w- c:\program files\BitComet
2010-11-19 18:08:45 -------- d-----w- c:\program files\CCleaner
2010-11-18 13:31:36 -------- dc----w- c:\docume~1\alluse~1.win\applic~1\Blizzard Entertainment
2010-11-18 13:10:55 -------- d-----w- c:\program files\Age of Empires II
2010-11-18 13:05:33 -------- d-----w- c:\program files\common files\Windows Live

==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS541060G9SA00 rev.MB3OC60P -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x84351D01]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x50; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x844ce85b; SUB DWORD [EBP-0x4], 0x844ce12e; PUSH EDI; CALL 0xffffffffffffe0f7; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x844A5998]
3 CLASSPNP[0xF7616FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x844288F0]
[0x842A7AE8] -> IRP_MJ_CREATE -> 0x84351D01
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHTS541060G9SA00_________________________MB3OC60P#5&23802106&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x84351AEA
user & kernel MBR OK
sectors 117231406 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 13:17:03.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:27 PM

Posted 30 November 2010 - 05:58 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 greeeeega

greeeeega
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 30 November 2010 - 10:39 AM

Hi there, thanks very much for the reply. Here are my two DDS files and my GMER, which I redid today.

DDS:



DDS (Ver_10-11-27.01) - NTFSx86
Run by Gregor at 12:40:18.37 on 30/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.936.86.1033.18.447.109 [GMT 0:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gregor.TIMMYTHELAPTOP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.162.74,93.188.161.7
TCP: {3EABB9EA-7DCC-462B-8FF8-ABC270908802} = 93.188.162.74,93.188.161.7
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-11-20 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1355928]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-16 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15008]

=============== Created Last 30 ================

2010-11-29 18:14:33 -------- d-----w- c:\program files\JRE
2010-11-29 18:13:48 -------- d-----w- c:\program files\OpenOffice.org 3
2010-11-26 12:37:59 46464 -c--a-w- c:\windows\system32\dllcache\atibt829.sys
2010-11-26 12:29:13 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2010-11-26 12:28:30 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-11-25 13:07:49 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2010-11-25 13:07:49 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2010-11-25 13:07:48 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2010-11-21 12:08:05 -------- dc----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2010-11-21 12:08:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-21 00:59:46 -------- dc----w- c:\docume~1\alluse~1.win\applic~1\MFAData
2010-11-21 00:54:56 -------- d-----w- c:\docume~1\gregor~1.tim\applic~1\Systweak
2010-11-21 00:01:12 -------- d-----w- c:\windows\Internet Logs
2010-11-20 21:09:57 -------- dc----w- c:\docume~1\alluse~1.win\applic~1\Kaspersky SDK
2010-11-20 19:04:39 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-20 16:43:28 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-20 16:40:59 -------- dc-h--w- c:\docume~1\alluse~1.win\applic~1\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-20 16:38:34 -------- d-----w- c:\program files\Lavasoft
2010-11-20 09:01:53 -------- d-----w- c:\docume~1\gregor~1.tim\applic~1\GameRanger
2010-11-19 19:03:46 -------- d-----w- c:\docume~1\gregor~1.tim\applic~1\BitComet
2010-11-19 19:03:42 -------- d-----w- c:\program files\BitComet
2010-11-19 18:08:45 -------- d-----w- c:\program files\CCleaner
2010-11-18 13:31:36 -------- dc----w- c:\docume~1\alluse~1.win\applic~1\Blizzard Entertainment
2010-11-18 13:10:55 -------- d-----w- c:\program files\Age of Empires II
2010-11-18 13:05:33 -------- d-----w- c:\program files\common files\Windows Live

==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS541060G9SA00 rev.MB3OC60P -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x843D0D01]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x50; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x844ce85b; SUB DWORD [EBP-0x4], 0x844ce12e; PUSH EDI; CALL 0xffffffffffffe0f7; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x844A5998]
3 CLASSPNP[0xF7616FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x844774E8]
[0x84497CF8] -> IRP_MJ_CREATE -> 0x843D0D01
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHTS541060G9SA00_________________________MB3OC60P#5&23802106&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x843D0AEA
user & kernel MBR OK
sectors 117231406 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 12:43:20.68 ===============

Attached Files



#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 PM

Posted 30 November 2010 - 08:12 PM

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Watch this topic. Click on this then choose Immediate E-Mail notification and then Proceed and you will be advised when I respond to your topic by email.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

==========

Please download ComboFix from one of these locations:

Link 1
Link 2

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 greeeeega

greeeeega
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 01 December 2010 - 09:05 AM

Hi thcbytes, thanks for your help.

1) I was able to run tdsskiller, below I will paste the log.

2) I could not run combofix because it tells me that it cannot run while AVG is installed. I didn't realise that I still have AVG installed. I currently have ad-aware, which I disabled beforehand using the steps provided on the guide. I can't find any way to uninstall AVG, so I'm a little stuck!

Thanks again,
Gregor.

Here is the log from tdsskiller:

2010/12/01 13:24:34.0000 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56
2010/12/01 13:24:34.0000 ================================================================================
2010/12/01 13:24:34.0000 SystemInfo:
2010/12/01 13:24:34.0000
2010/12/01 13:24:34.0000 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/01 13:24:34.0000 Product type: Workstation
2010/12/01 13:24:34.0000 ComputerName: TIMMYTHELAPTOP
2010/12/01 13:24:34.0000 UserName: Gregor
2010/12/01 13:24:34.0000 Windows directory: C:\WINDOWS
2010/12/01 13:24:34.0000 System windows directory: C:\WINDOWS
2010/12/01 13:24:34.0000 Processor architecture: Intel x86
2010/12/01 13:24:34.0000 Number of processors: 1
2010/12/01 13:24:34.0000 Page size: 0x1000
2010/12/01 13:24:34.0000 Boot type: Normal boot
2010/12/01 13:24:34.0000 ================================================================================
2010/12/01 13:24:36.0515 Initialize success
2010/12/01 13:25:00.0578 ================================================================================
2010/12/01 13:25:00.0578 Scan started
2010/12/01 13:25:00.0578 Mode: Manual;
2010/12/01 13:25:00.0578 ================================================================================
2010/12/01 13:25:02.0859 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/01 13:25:02.0921 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/12/01 13:25:02.0984 ADIHdAudAddService (7356eff52ad50b8946d346002118ce62) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2010/12/01 13:25:03.0078 AEAudio (fff87a9b1ab36ee4b7bec98a4cb01b79) C:\WINDOWS\system32\drivers\AEAudio.sys
2010/12/01 13:25:03.0140 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/01 13:25:03.0203 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/01 13:25:03.0546 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/01 13:25:03.0875 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/01 13:25:03.0937 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/01 13:25:04.0109 ati2mtag (2922cd8a5d913e737d4e7a634042e154) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/12/01 13:25:04.0296 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/01 13:25:04.0390 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/01 13:25:04.0500 BCM43XX (69f940672be0ecee5bd1e905706ba8ce) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/12/01 13:25:04.0593 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/01 13:25:04.0671 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/01 13:25:04.0750 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/12/01 13:25:04.0843 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/01 13:25:04.0906 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/01 13:25:04.0984 Cdrom (ced47a174d9233b0da01a6940b6b0391) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/01 13:25:04.0984 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: ced47a174d9233b0da01a6940b6b0391, Fake md5: 1f4260cc5b42272d71f79e570a27a4fe
2010/12/01 13:25:05.0015 Cdrom - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/12/01 13:25:05.0093 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/12/01 13:25:05.0218 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/12/01 13:25:05.0437 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/01 13:25:05.0500 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/01 13:25:05.0562 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/01 13:25:05.0593 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/01 13:25:05.0703 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/01 13:25:05.0812 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/01 13:25:05.0906 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/01 13:25:05.0937 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/12/01 13:25:06.0000 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/01 13:25:06.0031 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/12/01 13:25:06.0109 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/01 13:25:06.0296 FsVga (455f778ee14368468560bd7cb8c854d0) C:\WINDOWS\system32\DRIVERS\fsvga.sys
2010/12/01 13:25:06.0343 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/01 13:25:06.0375 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/01 13:25:06.0421 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/01 13:25:06.0500 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/01 13:25:06.0593 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/01 13:25:06.0796 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/01 13:25:06.0937 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/01 13:25:07.0093 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/01 13:25:07.0250 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/01 13:25:07.0312 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/01 13:25:07.0375 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/01 13:25:07.0421 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/01 13:25:07.0468 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/01 13:25:07.0515 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/01 13:25:07.0578 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/01 13:25:07.0625 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/01 13:25:07.0656 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/01 13:25:07.0750 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/01 13:25:07.0937 Lavasoft Kernexplorer (32da3fde01f1bb080c2e69521dd8881e) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2010/12/01 13:25:08.0062 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/12/01 13:25:08.0234 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/01 13:25:08.0281 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/01 13:25:08.0359 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/01 13:25:08.0375 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/01 13:25:08.0453 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/01 13:25:08.0546 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/01 13:25:08.0625 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/01 13:25:08.0750 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/01 13:25:08.0781 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/01 13:25:08.0812 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/01 13:25:08.0843 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/01 13:25:08.0875 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/01 13:25:08.0953 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/12/01 13:25:09.0000 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/01 13:25:09.0062 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/12/01 13:25:09.0093 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/01 13:25:09.0171 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/01 13:25:09.0218 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/01 13:25:09.0250 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/01 13:25:09.0281 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/01 13:25:09.0328 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/01 13:25:09.0421 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/01 13:25:09.0468 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/01 13:25:09.0515 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/01 13:25:09.0593 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/01 13:25:09.0687 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/01 13:25:09.0750 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/01 13:25:09.0828 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/01 13:25:09.0875 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/01 13:25:09.0921 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/01 13:25:09.0984 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/01 13:25:10.0031 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/01 13:25:10.0109 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/01 13:25:10.0156 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/12/01 13:25:10.0406 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/01 13:25:10.0453 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/12/01 13:25:10.0500 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/01 13:25:10.0546 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/01 13:25:10.0984 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/01 13:25:11.0031 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/01 13:25:11.0062 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/01 13:25:11.0093 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/01 13:25:11.0156 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/01 13:25:11.0203 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/01 13:25:11.0250 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/01 13:25:11.0296 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/01 13:25:11.0421 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/12/01 13:25:11.0468 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/01 13:25:11.0546 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/12/01 13:25:11.0593 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/01 13:25:11.0765 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/12/01 13:25:11.0859 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/01 13:25:11.0937 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/01 13:25:12.0015 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/01 13:25:12.0187 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/12/01 13:25:12.0234 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/01 13:25:12.0281 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/01 13:25:12.0453 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/01 13:25:12.0546 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/01 13:25:12.0671 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/01 13:25:12.0718 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/01 13:25:12.0781 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/01 13:25:12.0890 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/01 13:25:13.0000 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/01 13:25:13.0187 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/12/01 13:25:13.0218 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/01 13:25:13.0281 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/01 13:25:13.0328 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/01 13:25:13.0359 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/12/01 13:25:13.0453 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/01 13:25:13.0500 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/01 13:25:13.0578 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/01 13:25:13.0640 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/01 13:25:13.0718 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/01 13:25:13.0937 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/12/01 13:25:14.0000 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/12/01 13:25:14.0109 ================================================================================
2010/12/01 13:25:14.0109 Scan finished
2010/12/01 13:25:14.0109 ================================================================================
2010/12/01 13:25:14.0140 Detected object count: 1
2010/12/01 13:25:25.0359 Cdrom (ced47a174d9233b0da01a6940b6b0391) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/01 13:25:25.0359 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: ced47a174d9233b0da01a6940b6b0391, Fake md5: 1f4260cc5b42272d71f79e570a27a4fe
2010/12/01 13:25:28.0296 Backup copy found, using it..
2010/12/01 13:25:30.0015 C:\WINDOWS\system32\DRIVERS\cdrom.sys - will be cured after reboot
2010/12/01 13:25:30.0015 Rootkit.Win32.TDSS.tdl3(Cdrom) - User select action: Cure
2010/12/01 13:25:41.0125 Deinitialize success

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 PM

Posted 01 December 2010 - 09:57 AM

Yes. We need to uninstall AVG.

Please first note..

One or more of the identified infections is a Backdoor trojan/Rootkit.

This allows hackers to potentially remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If after careful consideration you have decided to move forward with cleanup then please proceed as I have outlined below.

==========

Run the AVG uninstaller..

http://download.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe

==========

Now run Combofix per my prior instructions.

=========

Install Microsoft Security Essentials instead of AVG as your AV software method

Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 greeeeega

greeeeega
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 01 December 2010 - 10:47 AM

Thanks. I think I would like to reformat and reinstall the OS. I don't know so much about computers, so: do I need to clean the PC first, THEN reformat and reinstall or can I just reformat and reinstall without cleaning?

If the second, I now have the problem that I am unable to open the link you have posted for the uninstall program for AVG. Firefox tells me: 'Unable to Connect. Firefox can't establish a connection to the server at download.avg.com.
* The site could be temporarily unavailable or too busy. Try again in a few
moments.

* If you are unable to load any pages, check your computer's network
connection.

* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.'

I can access other websites on firefox, just not this one it seems.

Thanks again,
Gregor.

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 PM

Posted 01 December 2010 - 02:31 PM

If you format the hard disc that means you completely erase it. Then you re-install a clean version of Windows. In this scenario there is no need to proceed any further with cleanup. Be aware that this process will result in loss of all installed applications. If you decide to back up your files and folders before you format please note below...

Note that the files with the following extensions should not be backed up:
.exe
.scr
.htm
.html
.xml
.zip
.rar
.asp
.php


Is your plan to format and re-install?

Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 greeeeega

greeeeega
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 02 December 2010 - 07:55 AM

Hi, yes my plan is to reformat and reinstall? I was just wondering how to reformat? How to I wipe everything?

Thanks for the help,
Gregor.

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 PM

Posted 02 December 2010 - 10:28 AM

Here you go...

http://michaelstevenstech.com/cleanxpinstall.html
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 greeeeega

greeeeega
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 03 December 2010 - 11:26 AM

Perfect. Thanks very much again for the help!

Best,
Gregor.

#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 PM

Posted 03 December 2010 - 04:58 PM

Your welcome. Any other questions? Otherwise I will close this thread.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 greeeeega

greeeeega
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 04 December 2010 - 08:14 AM

No that's everything.

Cheers.

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 PM

Posted 04 December 2010 - 04:59 PM

Since this topic appears to be resolved, I will now close it.
If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users