waddler8 Â Â 10 #25 Posted July 10, 2010 I dont think I have any AV protection now since I installed the new comp. Dont mind paying if that will get a better protection. Â Do the above and then we'll sort that out. Share this post Link to post Share on other sites Share this content via...
Hera   10 #26 Posted July 10, 2010 There is a lot of info : it ends -  Registry objects infected / cured / cured on reboot 0 / 0 / 0 File objects infected / cured / cured on reboot: 1 / 0 / 1 KLMD(ARK) unloaded successfully.  Firewall is staying on & the comp is alright at the moment Share this post Link to post Share on other sites Share this content via...
waddler8 Â Â 10 #27 Posted July 10, 2010 As I thought, you had the TDL3/Alureon rootkit. TDSSkiller has removed it looking at the section of the log you showed me. the other data you didn't post will just show which driver file it will have infected. Â The rootkit has the ability to download additional malware by re-directing your browser, taking you to unwanted sites, some of which contain exploits which cause malicious software to be downloaded. That is how you kept getting re-infected. Â Can you post me a hijackthis log? It's a diagnostic log that will show certain settings on you computer that can be hijacked by malware. Â Go Here to download HijackThis Installer Save the HijackThis Installer to your desktop. Double-click on the HijackThis Installer icon on your desktop. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. Once installed it will launch Hijackthis and will create a HijackThis icon on the desktop. Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Â Don't fix anything because as I said, it's diagnostic and some (if not most) of the settings are legitimate settings. Copy the entire contents of the log and post it here. Share this post Link to post Share on other sites Share this content via...
Hera   10 #28 Posted July 11, 2010 There are two documents this is one  Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 11:28:07, on 11/07/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal  Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\ASRock WiFi-802.11g\RtWLan.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\DOCUME~1\PATRIC~1\LOCALS~1\Temp\ie1696.tmp C:\DOCUME~1\PATRIC~1\LOCALS~1\Temp\ie1697.tmp C:\WINDOWS\system32\calc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://email.secureserver.net/login.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\Hewlett-Packard\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [{7DE1D051-24A7-CA67-ADDB-5A4723D168F6}] "C:\Documents and Settings\Patrick Rattigan\Application Data\Dofyu\ketux.exe" O4 - HKCU\..\Run: [{3A0991BB-2CB9-796B-D45F-C140B1BC2044}] "C:\WINDOWS\system32\config\systemprofile\Application Data\Kiro\octa.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: ASRock WiFi-802.11g.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: officejet 6100.lnk = ? O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220957200515 O20 - AppInit_DLLs: avgrsstx.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe  -- End of file - 8008 bytes Share this post Link to post Share on other sites Share this content via...
Hera   10 #29 Posted July 11, 2010 As I thought, you had the TDL3/Alureon rootkit. TDSSkiller has removed it looking at the section of the log you showed me. the other data you didn't post will just show which driver file it will have infected. The rootkit has the ability to download additional malware by re-directing your browser, taking you to unwanted sites, some of which contain exploits which cause malicious software to be downloaded. That is how you kept getting re-infected.  Can you post me a hijackthis log? It's a diagnostic log that will show certain settings on you computer that can be hijacked by malware.  Go Here to download HijackThis Installer Save the HijackThis Installer to your desktop. Double-click on the HijackThis Installer icon on your desktop. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. Once installed it will launch Hijackthis and will create a HijackThis icon on the desktop. Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.  Don't fix anything because as I said, it's diagnostic and some (if not most) of the settings are legitimate settings. Copy the entire contents of the log and post it here.  Cant copy the other one Share this post Link to post Share on other sites Share this content via...
M.Bison   10 #30 Posted July 11, 2010 had the very same virus.. was a bugger to get rid of as it disabled most of the features on my pc (no internet, search, task manager etc).  finally had to boot in safe mode and manually delete everything from a couple guides i found through google.. would have been way worse if i hadnt had an iphone to help Share this post Link to post Share on other sites Share this content via...
waddler8   10 #31 Posted July 11, 2010 Sorry for the late reply, I've been out all day.  Read through this, If there's anything you're unsure of - ask me first.   First go to start > all programs > accessories > system tools and click System Restore Click create a restore point > next > Choose a description (todays date will be fine) > create > close   Next download the file OTM.exe  If IE8 gives you a download warning, click "Disregard and download unsafe file [not recommended]" The website and the file are safe. It's a false positive.   Download OTM and save it to your Desktop. Double-click OTM.exe to run it. Hightlight & copy the following code inside the codebox below. Do not include the word Code: :Reg [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "KernelFaultCheck"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "{7DE1D051-24A7-CA67-ADDB-5A4723D168F6}"=- "{3A0991BB-2CB9-796B-D45F-C140B1BC2044}"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyServer"=- :Files C:\Documents and Settings\Patrick Rattigan\Application Data\Dofyu C:\WINDOWS\system32\config\systemprofile\Application Data\Kiro :Commands [purity] [emptytemp] [Reboot] Return to OTM, right click in the "Paste instructions for Items to be moved" area of the OTM window (under the yellow bar) and choose Paste. Push the large MoveIt! button. OTM may ask to reboot the machine. Please do so if asked. Copy everything in the Results window (under the green bar), and paste it in your next reply.  NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.   After that has rebooted and finished, download a (free) anti-virus from any one these: Suggestions: avast! Free Antivirus Microsoft Security Essentials Avira AntiVir Personal  Download the installation file and save it to your desktop, but don't install it yet.  Download and save AVG Remover(32bit)(avgremover.exe) to your desktop. Uninstall AVG8 through Add/Remove programs then run avgremover.exe and follow the prompts. Reboot when/if asked.  Then run the installation file of the anti-virus you chose and follow the prompts to install, rebooting when/if asked.  After you've done that, post me a new Hijackthis log as before along with the OTM log. Split the posts if you need to, to fit them in. Share this post Link to post Share on other sites Share this content via...
Hera   10 #32 Posted July 12, 2010 Sorry for the late reply, I've been out all day. Read through this, If there's anything you're unsure of - ask me first.   First go to start > all programs > accessories > system tools and click System Restore Click create a restore point > next > Choose a description (todays date will be fine) > create > close   Next download the file OTM.exe  If IE8 gives you a download warning, click "Disregard and download unsafe file [not recommended]" The website and the file are safe. It's a false positive.   Download OTM and save it to your Desktop. Double-click OTM.exe to run it. Hightlight & copy the following code inside the codebox below. Do not include the word Code: :Reg [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "KernelFaultCheck"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "{7DE1D051-24A7-CA67-ADDB-5A4723D168F6}"=- "{3A0991BB-2CB9-796B-D45F-C140B1BC2044}"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyServer"=- :Files C:\Documents and Settings\Patrick Rattigan\Application Data\Dofyu C:\WINDOWS\system32\config\systemprofile\Application Data\Kiro :Commands [purity] [emptytemp] [Reboot] Return to OTM, right click in the "Paste instructions for Items to be moved" area of the OTM window (under the yellow bar) and choose Paste. Push the large MoveIt! button. OTM may ask to reboot the machine. Please do so if asked. Copy everything in the Results window (under the green bar), and paste it in your next reply.  NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.   After that has rebooted and finished, download a (free) anti-virus from any one these: Suggestions: avast! Free Antivirus Microsoft Security Essentials Avira AntiVir Personal  Download the installation file and save it to your desktop, but don't install it yet.  Download and save AVG Remover(32bit)(avgremover.exe) to your desktop. Uninstall AVG8 through Add/Remove programs then run avgremover.exe and follow the prompts. Reboot when/if asked.  Then run the installation file of the anti-virus you chose and follow the prompts to install, rebooting when/if asked.  After you've done that, post me a new Hijackthis log as before along with the OTM log. Split the posts if you need to, to fit them in.   Files moved on Reboot... C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\16A3.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\16B1.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\16C3.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\ie169D.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\ie16A7.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\ie16BD.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\in169C.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\in16A0.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\in16AE.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\in16C0.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temporary Internet Files\Content.IE5\DV22QCJD\blank[2].htm moved successfully.  Registry entries deleted on Reboot...   Cannot download AV - says IE cannot display .. Share this post Link to post Share on other sites Share this content via...
waddler8 Â Â 10 #33 Posted July 12, 2010 Can you not access the internet at all with IE, or just the links for an antivirus? Â Also, can you post me the full OTM log, what you have posted isn't all of it. Â Navigate to the C:\_OTM\MovedFiles folder, and open the .log file again as before, then when the logfile opens in notepad, go to edit > select all (which will highlight all the text) > edit > copy and then paste it in your reply here. Share this post Link to post Share on other sites Share this content via...
Hera   10 #34 Posted July 13, 2010 Can you not access the internet at all with IE, or just the links for an antivirus? Also, can you post me the full OTM log, what you have posted isn't all of it.  Navigate to the C:\_OTM\MovedFiles folder, and open the .log file again as before, then when the logfile opens in notepad, go to edit > select all (which will highlight all the text) > edit > copy and then paste it in your reply here.  Files moved on Reboot... C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\16A3.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\16B1.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\16C3.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\ie169D.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\ie16A7.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\ie16BD.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\in169C.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\in16A0.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\in16AE.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temp\in16C0.tmp moved successfully. C:\Documents and Settings\Patrick Rattigan\Local Settings\Temporary Internet Files\Content.IE5\DV22QCJD\blank[2].htm moved successfully.  Registry entries deleted on Reboot...   This is in Notepad  Can access IE okay Firewall is staying on Share this post Link to post Share on other sites Share this content via...
waddler8 Â Â 10 #35 Posted July 13, 2010 (edited) Deleted, see the post below this. Edited July 13, 2010 by waddler8 Share this post Link to post Share on other sites Share this content via...
waddler8   10 #36 Posted July 13, 2010 Hmm... It looks as if it's not wrote the full log for some reason then.  Go to Start > run and copy/paste the following command into into the box:  cmd /c dir c:\_otm /s >Log.txt&Log.txt&del Log.txt  A black command box will open and close and a log should open. Copy/paste that log here.   Can access IE okay Firewall is staying onGood, so you just get "IE cannot display..." from the links. That could the because of this forum, or something else. Copy/paste the any one of the following links directly into your browsers address bar and tell me if they work.  http://www.avast.com/free-antivirus-download  http://www.microsoft.com/Security_Essentials/  http://www.free-av.com/en/products/1/avira_antivir_personal__free_antivirus.html   If not go to this site and tell me what you see:  http://www.confickerworkinggroup.org/infection_test/cfeyechart.html  Or copy/paste:  http://www.confickerworkinggroup.org/infection_test/cfeyechart.html Share this post Link to post Share on other sites Share this content via...