Computer infected

waddler8 · July 10, 2010

I dont think I have any AV protection now since I installed the new comp. Dont mind paying if that will get a better protection.

Do the above and then we'll sort that out.

Hera · July 10, 2010

There is a lot of info : it ends -

Registry objects infected / cured / cured on reboot 0 / 0 / 0

File objects infected / cured / cured on reboot: 1 / 0 / 1

KLMD(ARK) unloaded successfully.

Firewall is staying on & the comp is alright at the moment

waddler8 · July 10, 2010

As I thought, you had the TDL3/Alureon rootkit. TDSSkiller has removed it looking at the section of the log you showed me. the other data you didn't post will just show which driver file it will have infected.

The rootkit has the ability to download additional malware by re-directing your browser, taking you to unwanted sites, some of which contain exploits which cause malicious software to be downloaded. That is how you kept getting re-infected.

Can you post me a hijackthis log? It's a diagnostic log that will show certain settings on you computer that can be hijacked by malware.

Go Here to download HijackThis Installer

Save the HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
Once installed it will launch Hijackthis and will create a HijackThis icon on the desktop.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.

Don't fix anything because as I said, it's diagnostic and some (if not most) of the settings are legitimate settings. Copy the entire contents of the log and post it here.

Hera · July 11, 2010

There are two documents this is one

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:28:07, on 11/07/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\ASRock WiFi-802.11g\RtWLan.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\DOCUME~1\PATRIC~1\LOCALS~1\Temp\ie1696.tmp

C:\DOCUME~1\PATRIC~1\LOCALS~1\Temp\ie1697.tmp

C:\WINDOWS\system32\calc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://email.secureserver.net/login.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\Hewlett-Packard\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [{7DE1D051-24A7-CA67-ADDB-5A4723D168F6}] "C:\Documents and Settings\Patrick Rattigan\Application Data\Dofyu\ketux.exe"

O4 - HKCU\..\Run: [{3A0991BB-2CB9-796B-D45F-C140B1BC2044}] "C:\WINDOWS\system32\config\systemprofile\Application Data\Kiro\octa.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: ASRock WiFi-802.11g.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220957200515

O20 - AppInit_DLLs: avgrsstx.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 8008 bytes

Hera · July 11, 2010

As I thought, you had the TDL3/Alureon rootkit. TDSSkiller has removed it looking at the section of the log you showed me. the other data you didn't post will just show which driver file it will have infected.

The rootkit has the ability to download additional malware by re-directing your browser, taking you to unwanted sites, some of which contain exploits which cause malicious software to be downloaded. That is how you kept getting re-infected.

Can you post me a hijackthis log? It's a diagnostic log that will show certain settings on you computer that can be hijacked by malware.

Go Here to download HijackThis Installer

Save the HijackThis Installer to your desktop.

Double-click on the HijackThis Installer icon on your desktop.

By default it will install to C:\Program Files\Trend Micro\HijackThis .

Click on Install.

Once installed it will launch Hijackthis and will create a HijackThis icon on the desktop.

Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.

Don't fix anything because as I said, it's diagnostic and some (if not most) of the settings are legitimate settings. Copy the entire contents of the log and post it here.

Cant copy the other one

M.Bison · July 11, 2010

had the very same virus.. was a bugger to get rid of as it disabled most of the features on my pc (no internet, search, task manager etc).

finally had to boot in safe mode and manually delete everything from a couple guides i found through google.. would have been way worse if i hadnt had an iphone to help

waddler8 · July 11, 2010

Sorry for the late reply, I've been out all day.

Read through this, If there's anything you're unsure of - ask me first.

First go to start > all programs > accessories > system tools and click System Restore

Click create a restore point > next > Choose a description (todays date will be fine) > create > close

Next download the file OTM.exe

If IE8 gives you a download warning, click "Disregard and download unsafe file [not recommended]" The website and the file are safe. It's a false positive.

Download OTM and save it to your Desktop.

Double-click OTM.exe to run it.
Hightlight & copy the following code inside the codebox below. Do not include the word Code:

:Reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"KernelFaultCheck"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"{7DE1D051-24A7-CA67-ADDB-5A4723D168F6}"=-
"{3A0991BB-2CB9-796B-D45F-C140B1BC2044}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-

:Files
C:\Documents and Settings\Patrick Rattigan\Application Data\Dofyu
C:\WINDOWS\system32\config\systemprofile\Application Data\Kiro

:Commands
[purity]
[emptytemp]
[Reboot]

Return to OTM, right click in the "Paste instructions for Items to be moved" area of the OTM window (under the yellow bar) and choose Paste.
Push the large MoveIt! button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

After that has rebooted and finished, download a (free) anti-virus from any one these:

Suggestions:

Download the installation file and save it to your desktop, but don't install it yet.

Download and save AVG Remover(32bit)(avgremover.exe) to your desktop. Uninstall AVG8 through Add/Remove programs then run avgremover.exe and follow the prompts. Reboot when/if asked.

Then run the installation file of the anti-virus you chose and follow the prompts to install, rebooting when/if asked.

After you've done that, post me a new Hijackthis log as before along with the OTM log. Split the posts if you need to, to fit them in.

Hera · July 12, 2010

Sorry for the late reply, I've been out all day.

Read through this, If there's anything you're unsure of - ask me first.

First go to start > all programs > accessories > system tools and click System Restore

Click create a restore point > next > Choose a description (todays date will be fine) > create > close

Next download the file OTM.exe

If IE8 gives you a download warning, click "Disregard and download unsafe file [not recommended]" The website and the file are safe. It's a false positive.

Download OTM and save it to your Desktop.

Double-click OTM.exe to run it.

Hightlight & copy the following code inside the codebox below. Do not include the word Code:
:Reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"KernelFaultCheck"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"{7DE1D051-24A7-CA67-ADDB-5A4723D168F6}"=-
"{3A0991BB-2CB9-796B-D45F-C140B1BC2044}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-

:Files
C:\Documents and Settings\Patrick Rattigan\Application Data\Dofyu
C:\WINDOWS\system32\config\systemprofile\Application Data\Kiro

:Commands
[purity]
[emptytemp]
[Reboot]
Return to OTM, right click in the "Paste instructions for Items to be moved" area of the OTM window (under the yellow bar) and choose Paste.

Push the large MoveIt! button.

OTM may ask to reboot the machine. Please do so if asked.

Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

After that has rebooted and finished, download a (free) anti-virus from any one these:

Suggestions:

avast! Free Antivirus

Microsoft Security Essentials

Avira AntiVir Personal

Download the installation file and save it to your desktop, but don't install it yet.

Download and save AVG Remover(32bit)(avgremover.exe) to your desktop. Uninstall AVG8 through Add/Remove programs then run avgremover.exe and follow the prompts. Reboot when/if asked.

Then run the installation file of the anti-virus you chose and follow the prompts to install, rebooting when/if asked.

After you've done that, post me a new Hijackthis log as before along with the OTM log. Split the posts if you need to, to fit them in.

Files moved on Reboot...

C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\16A3.tmp moved successfully.

C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\16B1.tmp moved successfully.

C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\16C3.tmp moved successfully.

C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\ie169D.tmp moved successfully.

C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\ie16A7.tmp moved successfully.

C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\ie16BD.tmp moved successfully.

C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\in169C.tmp moved successfully.

C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\in16A0.tmp moved successfully.

C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\in16AE.tmp moved successfully.

C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\in16C0.tmp moved successfully.

C:\Documents and Settings\Patrick Rattigan\Local Settings\Temporary Internet Files\Content.IE5\DV22QCJD\blank[2].htm moved successfully.

Registry entries deleted on Reboot...

Cannot download AV - says IE cannot display ..

waddler8 · July 12, 2010

Can you not access the internet at all with IE, or just the links for an antivirus?

Also, can you post me the full OTM log, what you have posted isn't all of it.

Navigate to the C:\_OTM\MovedFiles folder, and open the .log file again as before, then when the logfile opens in notepad, go to edit > select all (which will highlight all the text) > edit > copy and then paste it in your reply here.

Hera · July 13, 2010

Can you not access the internet at all with IE, or just the links for an antivirus?

Also, can you post me the full OTM log, what you have posted isn't all of it.

Navigate to the C:\_OTM\MovedFiles folder, and open the .log file again as before, then when the logfile opens in notepad, go to edit > select all (which will highlight all the text) > edit > copy and then paste it in your reply here.