okey dokey - in our latest episode:
I downloaded combofix and figured out how to disable both mse and avast- the link you gave helped
I ran combo fix and got the following:
AVG Free 2013 Scanner was still active - clicked ok (didn't know what else to do ?!?!?)
2nd warning that AVG was still enables - tried to x out and combofix ran anyway
Got the message that microsoft recovery console was not installed or needed to be updated - clicked yes to have combofix install it. Installation was successful.
Clicked yes to continue and got the following Log:
ComboFix 12-12-10.01 - user1 12/11/2012 19:51:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.669 [GMT -6:00]
Running from: c:\documents and settings\user1\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\52b4e33f16e0fe11.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
.
.
((((((((((((((((((((((((( Files Created from 2012-11-12 to 2012-12-12 )))))))))))))))))))))))))))))))
.
.
2012-12-11 12:06 . 2012-11-19 07:04 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EA499C25-BFB8-4362-868F-4D9D288265DD}\mpengine.dll
2012-12-11 11:53 . 2012-12-11 11:53 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-08 02:05 . 2012-12-08 02:07 -------- dc-h--w- c:\windows\ie8
2012-12-08 01:28 . 2012-10-30 23:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-12-08 01:28 . 2012-10-30 23:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-12-08 01:28 . 2012-10-30 23:51 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-12-08 01:28 . 2012-10-30 23:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-12-08 01:28 . 2012-10-30 23:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-12-08 01:28 . 2012-10-30 23:51 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-12-08 01:28 . 2012-10-30 23:51 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-12-08 01:28 . 2012-10-30 23:51 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-12-08 01:27 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr
2012-12-08 01:27 . 2012-10-30 23:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-12-08 01:27 . 2012-12-08 01:27 -------- d-----w- c:\program files\AVAST Software
2012-12-08 01:27 . 2012-12-08 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-12-08 00:58 . 2012-11-19 07:04 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-12-08 00:57 . 2012-05-31 17:25 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-12-08 00:56 . 2012-12-08 00:56 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-12-08 00:55 . 2012-12-08 00:55 -------- d-----w- c:\program files\Microsoft Security Client
2012-12-07 12:29 . 2012-12-07 12:29 -------- d-----w- c:\windows\system32\wbem\Repository
2012-12-07 12:28 . 2012-12-08 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Secure Search
2012-12-06 11:35 . 2012-12-06 11:35 -------- d-----w- C:\_OTL
2012-12-06 02:18 . 2012-12-06 02:18 -------- d-----w- c:\documents and settings\user1\Application Data\TuneUp Software
2012-12-06 02:17 . 2012-12-06 02:17 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2012-12-06 02:00 . 2012-12-06 02:00 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-12-06 02:00 . 2012-12-07 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-12-06 02:00 . 2012-12-06 02:00 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\MFAData
2012-12-06 01:43 . 2012-09-25 05:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-08 02:56 . 2012-09-29 03:16 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-08 02:56 . 2012-09-29 03:16 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-22 08:37 . 2008-04-14 00:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04 . 2008-04-14 04:42 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-30 01:54 . 2012-10-11 01:44 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-30 00:40 . 2012-09-30 00:41 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-30 00:40 . 2012-09-30 00:41 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-21 09:46 . 2012-09-21 09:46 177376 ----a-w- c:\windows\system32\drivers\avglogx.sys
2012-12-05 18:36 . 2012-12-05 18:36 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-11-07 3143800]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-12-07 997320]
"ROC_roc_ssl_v12"="c:\program files\AVG Secure Search\ROC_roc_ssl_v12.exe" [2012-12-06 1020512]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DOOM II\\DOOM II\\DOOM95.EXE"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"28034:UDP"= 28034:UDP:UDP 28034
"29366:TCP"= 29366:TCP:TCP 29366
.
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/21/2012 3:46 AM 177376]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/7/2012 7:28 PM 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/7/2012 7:28 PM 361032]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [12/5/2012 8:17 PM 26984]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/7/2012 7:28 PM 21256]
R2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe [12/5/2012 8:17 PM 711112]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [4/4/2012 3:34 PM 598856]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys --> c:\windows\system32\DRIVERS\avgidshx.sys [?]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys --> c:\windows\system32\DRIVERS\avgidsshimx.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 29846650
*NewlyCreated* - 69209089
*Deregistered* - 29846650
*Deregistered* - 69209089
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-29 02:56]
.
2012-12-12 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-12-08 23:50]
.
2012-12-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1958367476-1606980848-1003Core.job
- c:\documents and settings\user1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-30 18:30]
.
2012-12-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1958367476-1606980848-1003UA.job
- c:\documents and settings\user1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-30 18:30]
.
2012-12-11 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 23:25]
.
.
------- Supplementary Scan -------
.
uStart Page =
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\13.2.0\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\u7lnonmq.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - ExtSQL: 2012-12-07 06:33; avg@toolbar; c:\documents and settings\All Users\Application Data\AVG Secure Search\FireFoxExt\13.2.0.5
FF - ExtSQL: 2012-12-07 18:34; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: 2012-12-07 19:28;
[email protected]; c:\program files\AVAST Software\Avast\WebRep\FF
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-10838806.sys
SafeBoot-29846650.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2012-12-11 19:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-12-11 19:58:14
ComboFix-quarantined-files.txt 2012-12-12 01:58
.
Pre-Run: 67,622,727,680 bytes free
Post-Run: 67,644,260,352 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - E85A099D170E28BEE28EBD1DFAA9E14B