Am I still infected?

[Adrian McNair]

Hello. My system was recently infected with some particularly malicious trojans. They were causing slow-downs and generally impeding system performance. I removed most of them with Malwarebytes' Anti-Malware or moved infected files to AVG's Virus Vault. Then I performed a scan with Spybot and it found two strains- Win32.Agent.ws and Win32.Autorun.tmp

I got rid of them with Spybot and system performance has seemed to generally improve. I just want to know if my system is clean now.

Here is my DDS log and attached file.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 13:28:53.34 on Sun 12/26/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.279 [GMT 11:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
C:\windows\system32\Ati2evxx.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-system: EnableLUA = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2008-3-2 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2008-3-2 5248]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R1 crlscsi;crlscsi;c:\windows\system32\drivers\crlscsi.sys [2009-11-24 6144]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

=============== Created Last 30 ================

2010-12-25 01:54:16 -------- d-----w- C:\VLC
2010-12-25 01:15:05 -------- d-----w- c:\docume~1\owner\applic~1\AVG10
2010-12-25 01:11:15 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-25 01:07:31 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-25 01:07:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-25 01:03:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-25 00:25:04 0 ----a-w- c:\windows\ativpsrm.bin
2010-12-24 22:41:29 2951802 ----a-w- C:\EClea2_0.exe
2010-12-24 12:04:09 -------- d-----w- c:\docume~1\owner\applic~1\GlarySoft
2010-12-24 11:57:52 -------- d-----w- c:\program files\Glary Utilities
2010-12-15 04:48:21 -------- d-----w- c:\documents and settings\owner\Revenge of the Titans 1.6
2010-12-15 04:48:12 -------- d-sh--w- c:\docume~1\owner\locals~1\applic~1\.#
2010-12-15 04:46:16 -------- d-----w- c:\program files\Games
2010-12-09 21:59:23 -------- d-----w- c:\program files\Radical Games
2010-11-29 00:17:52 -------- d-----w- c:\program files\DreamCatcher
2010-11-26 13:08:36 -------- d-----w- c:\docume~1\owner\applic~1\Activision
2010-11-26 12:44:08 -------- d-----w- C:\Marvel Ultimate Alliance

==================== Find3M ====================

2010-11-04 03:29:52 1409 ----a-w- c:\windows\QTFont.for

============= FINISH: 13:30:02.40 ===============

[Blade81]

Hi,

Looks otherwise ok but some programs need updating. Download and run Secunia Personal Software Inspector (PSI) and fix its findings.

[Adrian McNair]

Hi,

Looks otherwise ok but some programs need updating. Download and run Secunia Personal Software Inspector (PSI) and fix its findings.

Hello. Thanks for the reply. So it's not a virus or any form of malware? I wonder what could be causing the strain on my system? I downloaded RootAlyzer recently in the hopes of narrowing down my problem. Here are the various logs.

Spybot - Search & Destroy Include File:

// info: Rootkit removal help file
// copyright: (c) 2008-2009 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\AVG10\Chjw\68c0509cc0507274.dat:86244741-2e85-420d-ba0e-fd1355d95848:$DATA"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\","0Jf40"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\","0Jf41"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\","0Jf42"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\","0Jf43"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet005\Services\d347prt\Cfg\","0Jf40"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet005\Services\d347prt\Cfg\","0Jf41"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet005\Services\d347prt\Cfg\","0Jf42"
RegyKey:"Invisible to Win32","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet005\Services\d347prt\Cfg\","0Jf43"

Avenger Script:

Comment:
File created using RootAlyzer to help your get rid of a rootkit.

Files to delete:
C:\Documents and Settings\All Users\Application Data\AVG10\Chjw\68c0509cc0507274.dat:86244741-2e85-420d-ba0e-fd1355d95848:$DATA

Folders to delete:

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf40
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf41
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf42
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf43

Registry values to delete:

ComboFix script:

File::
C:\Documents and Settings\All Users\Application Data\AVG10\Chjw\68c0509cc0507274.dat:86244741-2e85-420d-ba0e-fd1355d95848:$DATA

Folder::

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf40]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf41]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf42]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\d347prt\Cfg\0Jf43]

Could this be the cause?

[Blade81]

Hi,

You shouldn't run Avenger and ComboFix to nuke something that may not be bad item (this shouldn't be done for bad items either unless trained to use those tools).

[Adrian McNair]

Hi,

You shouldn't run Avenger and ComboFix to nuke something that may not be bad item (this shouldn't be done for bad items either unless trained to use those tools).

I haven't done anything yet. Are the items that RootAlyzer found via the deep scan bad ones? They came up as hidden files. What should my next action be? There is a definite problem. Not only am I experiencing slow-downs but something is draining my disk space. I had 9.77 GB worth of hard drive space earlier today and after a while it was reduced to 9.45 GB.

[Blade81]

Hi,

Those RootAlyzer findings can be ignored. Please post fresh dds logs after taking action PSI suggests.

[Adrian McNair]

Hi,

Those RootAlyzer findings can be ignored. Please post fresh dds logs after taking action PSI suggests.

Okay, I've updated everything that I could with PSI but there has been no change. The problem continues to persist, continuing to cause periodic slow-downs and eat my hard-drive space. When I did the updates via PSI my space went down from 9.451 GB to 8.35 GB (despite the updates not being very large at all). With system restore I was able to reclaim some space, bringing it up to 9.07 GB. It seems that even basic activities drain it.

No matter what I've done the issue is still there. I've tried defragmenting, disk checking. All to no avail. If it isn't Malware or a virus, how can I narrow the problem down?

Here is my DDS log and attached file.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 19:06:22.57 on Sun 01/02/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.333 [GMT 11:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
C:\windows\system32\Ati2evxx.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\windows\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe
c:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all

users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows

live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-system: EnableLUA = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?

1293948596578
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?

1293948578093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2008-3-2 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2008-3-2 5248]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
R1 crlscsi;crlscsi;c:\windows\system32\drivers\crlscsi.sys [2009-11-24 6144]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2010-12-21 399416]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2010-12-21 987704]

=============== Created Last 30 ================

2011-01-02 07:41:35 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2011-01-02 07:41:09 -------- d-----w- c:\program files\common files\xing shared
2011-01-02 07:40:43 151776 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2011-01-02 07:40:32 100352 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2011-01-02 07:13:38 -------- d-----w- c:\docume~1\owner\applic~1\Local
2011-01-02 07:09:53 -------- d-----w- c:\program files\common files\DivX Shared
2011-01-02 07:07:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
2011-01-02 07:01:20 -------- d-----w- c:\program files\iPod
2011-01-02 07:00:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-01-02 07:00:25 -------- d-----w- c:\program files\iTunes
2011-01-02 06:52:40 -------- d-----w- c:\program files\Bonjour
2011-01-02 06:29:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-02 06:29:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-02 06:29:53 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-01-02 06:24:23 -------- d-----r- c:\program files\Skype
2010-12-30 19:13:47 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Secunia PSI
2010-12-30 19:11:11 -------- d-----w- c:\program files\Secunia
2010-12-26 04:34:43 -------- d--h--w- C:\$AVG
2010-12-25 01:54:16 -------- d-----w- C:\VLC
2010-12-25 01:15:05 -------- d-----w- c:\docume~1\owner\applic~1\AVG10
2010-12-25 01:11:15 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-25 01:07:31 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-25 01:07:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-25 01:03:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-25 00:25:04 0 ----a-w- c:\windows\ativpsrm.bin
2010-12-24 22:41:29 2951802 ----a-w- C:\EClea2_0.exe
2010-12-24 12:04:09 -------- d-----w- c:\docume~1\owner\applic~1\GlarySoft
2010-12-15 04:48:21 -------- d-----w- c:\documents and settings\owner\Revenge of the Titans 1.6
2010-12-15 04:48:12 -------- d-sh--w- c:\docume~1\owner\locals~1\applic~1\.#
2010-12-15 04:46:16 -------- d-----w- c:\program files\Games
2010-12-09 21:59:23 -------- d-----w- c:\program files\Radical Games

==================== Find3M ====================

2011-01-02 07:40:16 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-11-29 06:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 06:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-12 00:44:54 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-11-08 22:57:04 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2010-10-07 01:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 01:23:02 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 01:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 01:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

============= FINISH: 19:07:32.10 ===============

[Blade81]

Hi,

Disable word wrap in notepad.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[Adrian McNair]

Unfortunately, ComboFix refused to go to the scanning and cleaning stage even after I disabled AVG and Spybot's Teatimer utility. According to the prompt I got, I needed to uninstall AVG. When I tried to do that, AVG gave me a prompt indicating that I did not have sufficient privileges to remove it (despite being the administrator). It seems that I'm at an impasse.

[Blade81]

Hi,

Let's see if AVG own remover does the trick.

Download AVG Remover from here and save it to your Desktop.

• Close all open programs
• Double click on avgremover.exe (if running Vista or Windows 7, right click on it and choose to run as an Administrator)
• Follow the prompts to run the tool
• If after running the tool it prompts you to reboot the computer, please allow it to do so. If you are not prompted, please manually reboot the computer.