Vista Problem

RussJK

Would be interested if you could post some Malwarebytes logs for our edification, always good to learn more. Similarly the logs from Kaspersky and AVG.

I'd make sure you've only got one antivirus installed, and that you run the removal tool for whichever one you choose to uninstall.

Afterwards, feel free to post a new Hijackthis log if you want us to make sure it looks right.

Did you run the two rootkit scanners? (aswmbr, tdsskiller) I wouldn't count on everything being gone, it might be worthwhile to run Combofix, can read about how to use it properly here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

davidjwest

Sure, no worries:


Malwarebytes' Anti-Malware 1.51.0.1200
https://www.malwarebytes.org

Database version: 6847

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19048

13/06/2011 15:51:55
mbam-log-2011-06-13 (15-51-55).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 384027
Time elapsed: 1 hour(s), 53 minute(s), 19 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
c:\Users\User\AppData\Roaming\dwm.exe (Trojan.Downloader) -> 576 -> Unloaded process successfully.
c:\Users\User\AppData\Roaming\microsoft\conhost.exe (Backdoor.Cycbot.Gen) -> 2060 -> Unloaded process successfully.
c:\Users\User\AppData\Local\Temp\csrss.exe (Backdoor.Cycbot.Gen) -> 3504 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D1EC4CA-4B92-4324-B8F8-C9A6ED06A8AE} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Backdoor.Cycbot.Gen) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Elace (Trojan.Agent.U) -> Value: Elace -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Backdoor.Cycbot.Gen) -> Bad: (C:\Users\User\AppData\Local\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\User\AppData\Local\pcc.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
c:\newdnswatch (Trojan.SpyEyes) -> Quarantined and deleted successfully.

Files Infected:
c:\Users\User\AppData\Roaming\dwm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\User\AppData\Roaming\microsoft\conhost.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\Users\User\AppData\Local\Temp\csrss.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\$Recycle.Bin\s-1-5-21-2510175770-1106479267-1725109926-1000\$RFHN3HV.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\Users\User\AppData\Local\Temp\0.7401892673363712.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\Users\User\AppData\LocalLow\Sun\Java\deployment\cache\6.0\30\794556de-7619ef32 (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\Users\User\downloads\openoffice.exe (PUP.SmsPay.PGen) -> Not selected for removal.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\newdnswatch\config.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.

Happy to share logs from Kaspersky and AVG if you can let me know how to get at them!

Here's my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:48:10, on 13/06/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.19048)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iBryte\playbryte\iBryteDesktop.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Hijack\Trend Micro\HiJackThis\HiJackThis.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.malwarebytes.org/index.php?showtopic=6944
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ievkbd.dll
O2 - BHO: PlayBryte BHO - {61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd} - mscoree.dll (file missing)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O3 - Toolbar: Alexa Toolbar - {EA582743-9076-4178-9AA6-7393FDF4D5CE} - C:\Program Files\Alexa Toolbar\AlexaToolbar.10.0.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PlayBryte Toolbar - {b278d9f8-0fa9-465e-9938-0c392605d8e3} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iBryte playbryte Desktop] C:\Program Files\iBryte\playbryte\ibrytedesktop.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 8900 bytes

A few things there still not fixed, any more ideas? I've no problems that have any symptoms now so if they aren't going to cause me any issues I can leave them.

Regards the rootkit scanners, I ran tdsskiller fine, nothing found but got a BSOD with aswmbr, takes me back!

Will try Combofix, thanks.

RussJK

Thanks for that! For Kaspersky or AVG logs, you'd have to look in the programs themselves as I'm not sure without looking into it.

Looks like there is still Kaspersky installed alongside AVG. You might have to uninstall AVG anyway to run Combofix. I don't like that aswMBR caused a blue screen, usually a sign of a rootkit. Could also be just because you have two AVs running together, which can cause instabilities.
http://www.avg.com/gb-en/download-tools
http://support.kaspersky.com/faq/?qid=208279463

I would uninstall McAfee Security Scan and make sure all references are gone from the Hijackthis log.

What is the PlayBryte toolbar?

You should disable Windows Defender realtime guard as it doesn't need to run with AVG or Kaspersky on board (Control Panel > Windows Defender)

Unless a program uses Java (with the icon starting in the system tray), it's safer to just uninstall it. At worst, can just reinstall if it turns out you need it.

I would go into Start > Msconfig > Startups, and untick all these. If you have any trouble, you can just retick an tiem:
[Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
[IgfxTray] C:\Windows\system32\igfxtray.exe
[HotKeysCmds] C:\Windows\system32\hkcmd.exe
[Persistence] C:\Windows\system32\igfxpers.exe
[Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
[Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
[Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
[SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
[QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
[iBryte playbryte Desktop] C:\Program Files\iBryte\playbryte\ibrytedesktop.exe


You should re-run Hijackthis and Check and Fix these:
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleU pdate.exe" /c
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent (steam doesn't need to start on system start)
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?


If you go into Start, then type Services.msc, find each of the following and change their startup type to Manual (or disabled for the google items):
Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

davidjwest

Thanks, no idea what the PlayBryte Toolbar is, probably some rubbish that came with something else I downloaded and I forgot to untick a box after reading a dozen pages of stuff!

I've uninstalled that now.

The aswMBR is now running OK after I got rid of McAfee, I seem to have the ntkrnlpa.exe that it highlights in red on the website but I don't get the option to fix, but I do get the FixMBR option although I don't appear to have that showing - how can I post the log, it's .dat and nothing seems to open it on this Windows machine.

Thanks again, will go through the other advice tomorrow and report back.

RussJK

The aswMBR result is probably fine - unless it directly says it's found a rootkit code or the MBR has unknown code (in the absence of any reason for it) then I wouldn't think too much about it.