Virus infection, please help!
Hi,
AVG keeps detecting a virus in explorer.exe and confims removal but it doesn't seem to go away. I tried malwarebytes as well but the result is the same.
I keep getting popups and my computer seems a little slower. Here is the DDS log. I have also included the zipped up Attach.txt.
I appreciate your help in advance!
.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 7.0.5730.11
Run by sangs at 8:05:38 on 2011-06-06
.
============== Running Processes ===============
.
\??\C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\system32\locator.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\WINDOWS\System32\alg.exe
\??\C:\PROGRA~1\AVG\AVG10\avgrsx.exe
\??\C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Documents and Settings\sangs\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyServer = proxy.swmed.edu:3128
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [cdloader] "c:\documents and settings\sangs\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [Google Update] "c:\documents and settings\sangs\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Transfer by Image Converter 2 - c:\program files\sony\image converter 2\menu.htm
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: hulu.com\www
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 68.238.96.12
TCP: Interfaces\{5423AAE9-2B16-4FFC-A9C4-79BDB056974D} : DhcpNameServer = 192.168.1.1 68.238.96.12
TCP: Interfaces\{D2D6BCDF-56EB-421A-8218-07FBD3648C39} : DhcpNameServer = 192.168.1.1 68.238.96.12
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: itlntfy - itlnfw32.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {FA010552-4A27-4cb1-A1BB-3E2D697F1639} - No File
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sangs\application data\mozilla\firefox\profiles\hoi07elg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\sangs\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
.
============= SERVICES / DRIVERS ===============
.
R? FlashPT;FlashPT
R? itlperf;Intel CPU
S? AVGIDSAgent;AVGIDSAgent
S? AVGIDSDriver;AVGIDSDriver
S? AVGIDSEH;AVGIDSEH
S? AVGIDSFilter;AVGIDSFilter
S? AVGIDSShim;AVGIDSShim
S? Avgldx86;AVG AVI Loader Driver
S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
S? Avgrkx86;AVG Anti-Rootkit Driver
S? Avgtdix;AVG TDI Driver
S? avgwd;AVG WatchDog
S? cmdAgent;COMODO Internet Security Helper Service
S? cmdGuard;COMODO Internet Security Sandbox Driver
S? cmdHlp;COMODO Internet Security Helper Driver
.
=============== Created Last 30 ================
.
2011-05-29 22:53:48 114688 ----a-w- c:\windows\system32\igfxzoom.exe
2011-05-29 22:36:47 -------- d-----w- c:\documents and settings\sangs\application data\AVG10
2011-05-29 22:21:51 -------- d-----w- c:\windows\system32\drivers\AVG
2011-05-29 22:21:50 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2011-05-16 00:14:05 -------- d-----w- c:\documents and settings\sangs\application data\Malwarebytes
2011-05-16 00:13:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 00:13:57 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-05-16 00:13:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-16 00:13:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-13 12:31:49 -------- d--h--w- C:\$AVG
2011-05-13 00:38:02 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-05-13 00:26:10 -------- d-----w- c:\documents and settings\all users\application data\MFAData
.
==================== Find3M ====================
.
2011-04-15 02:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-05 05:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 21:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2006-01-13 15:39:51 330358 -c--a-w- c:\program files\SetupIP.Exe
2005-10-21 13:58:46 65802752 -c--a-w- c:\program files\SigmaPlot9.exe
2005-10-19 01:13:45 381480 -c--a-w- c:\program files\msgr7us.exe
2005-10-18 19:38:31 81995 -c--a-w- c:\program files\InstHelper.dll
2005-10-18 19:38:31 56320 -c--a-w- c:\program files\Setup.exe
2005-10-18 19:38:31 507 -c--a-w- c:\program files\layout.bin
2005-10-18 19:38:31 143360 -c--a-w- c:\program files\installservice.exe
2005-10-18 19:38:30 45129 -c--a-w- c:\program files\DelayInst.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8025GAS rev.KA023H -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x831174D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8311d7f0]; MOV EAX, [0x8311d86c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX,
[ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x831299C0]
3 CLASSPNP[0xF8694FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000077[0x83150458]
5 ACPI[0xF850B620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x831CED98]
\Driver\atapi[0x83134918] -> IRP_MJ_CREATE -> 0x831174D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5;
REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8311731B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 8:24:33.26 ===============
Edit
This is a different machine. The previous one was a desktop and this is on my laptop.
Thanks!
Combo Fix and new DDS logs
Thanks for helping me out with this problem.
Here are the Combo Fix and DDS logs.
Combo Fix script and ESET results
Hi,
Thanks a lot for helping with this problem!
ESET finished successfully and didn't find any threats. But it didn't generate any log file. I have attached the other 2 log files (combo fix results after running the script and DDS).