Windows XP SP3 severely infected by a devious worm/trojan/virus

Hello fine folks,

I want to start off by saying how grateful I am that such
brilliant and seasoned professionals are willing to donate
their considerable talents toward helping those of us that
depend desperately upon these machines to facilitate our
everyday lives, yet steadfastly remain mystified as to their
inner workings.

Having undergone my first infection, I must say that I
appreciate the skill and talent of the person (or persons)
who have compromised my system and am suitably impressed.

But my praise goes out to those of you that have resisted
the temptation to use your talent for evil, choosing instead
to spend your free time helping idiots like me repel those
devious little pieces of sophisticated ingenuity that ruin
our computers (and by extension, our lives).

I'm not just blowing smoke up your snatch...I truly
appreciate your fight on behalf of the common man against
those of your peers who have chosen the dark side. I
appreciate the humor in watching an idiot flounder about in
pain and ignorance, but God bless you for choosing to help the
idiot instead of tormenting him (although I'm sure you laugh at
our antics on a daily basis).

On to it.

I have a machine that has been severely compromised. I have
done my best to follow the guidelines, rules and steps you
posted for this forum. I have diligently studied and executed
your instructions and created the correct logs to the best
of my (severely limited) ability. Hopefully I have given you
the tools you need to help me.

I should start off by saying I have misplaced my original OS
CD-Rom, and therefore will be hard-pressed to re-install XP.

You asked that I provide a detailed account of what I did to
allow the malware to take root, and I shall do so now.

As stated in the subject line, I am running Windows XP SP3 on
a Dell Inspiron 600m laptop. I am connected to the web
wirelessly through an Intel Pro Wireless modem, using Windows
Wireless Connection, through a Gateway 2wire router (2701HGV-8)
and ATT broadband dsl service.

My nightmare began about a week ago, when I decided I should try
to get my netflix to stream live to my tv through my directv dvr.

I encountered a program called PlayOn, which bridges the
home network to the directv network (connected to my
broadband router via an ethernet cable) and tells the dvr to
treat Netflix, YouTube or any of my picture, video, or music
files as if they were streaming from directv.

I downloaded the trial version of PlayOn from the manufacturer's
website, and was messing around, trying to get it to work.

In order to do so, I had to open ports on my network to
allow incoming connections.

I had limited experience with this, (I know how you guys
feel about piracy, but in the interest of full disclosure...)
having used BitTorrent a few times to share music and video
files.

I opened the ports to PlayOn, then found a link in a forum (which
tragically has been erased from my history due to repeated cache
cleaning) that said an earlier version of PlayOn was more
streamlined and efficient.

It directed me to a site where I downloaded PlayOn 2.58.3190

I have attached the instructions (playon.txt) it gave me to
workaround the registration (I know this is not an attachment
you asked for in the guidelines, but I thought it might be useful
for you to look at, since I edited my registry according to its
direction).

I never really got PlayOn to work. It was buggy. At one point,
I got my dvr to show the PlayOn locations in its menu, but when
I tried to select them, the TV screen went grey with a "loading"
process bar for a couple of minutes, then returned to the previous
channel.

I started messing with my firewall, both on my machine and on my
router. I opened ports 1-16 to incoming connections on my laptop
for PlayOn. I added the dvr to my home wireless network on my router,
and (I'm embarrassed to say) gave it full DMZ authorization to allow
all incoming connections. I figured it wasn't hooked up to my
machine, so it was safe.

Things started getting weird. My taskbar icons started disappearing,
my system started bogging down, crashing and taking forever to shut
down and restart. About once in every three times I tried to start up,
it would freeze up and I would have to force shutdown by holding down
the power key on my keyboard until the system died.

Taskmgr.exe had several processes I hadn't noticed before, such as
multiple permutations of svchost.exe and a huge portion of system
resources going to apoint.exe (my touchpad software) and smss.exe.

I tried scanning my system with AVG Free and was instructed to download
the most current version of AVG (2011), which came with PCTuneup as a
bundle.

After I installed the new AVG, my system started freezing and was slower
than ever before. Taskmgr.exe showed AVG taking up huge amounts of
system resources, even when it was running in the background. I ran Cache
Cleaner (v.3.3.0.1366) and then decided to run PCTuneup, since it was
new to my system and in a free trial period. I probably made 50 changes
to my OS with PCTuneup. One of the PCtweaks I implemented was to log me
on automatically, rather than having to enter a password when I returned
from standby or hibernation.

The reason I mention this one tweak among many is that immediately
thereafter I noticed winlogon.exe gobbling up system resources, running
near the top in mem usage among my processes.

Now I started hitting the forums, and I shamefully admit I paid less
attention to the domain names than the correlation to my google search
strings. I cannot tell you which download sites I downloaded
ProcessExlorer, I/O Bit 360, Malwarebytes and Avira Anti-Vir from, only
that I installed them, ran scans, looked at system processes, and tried
to figure out what was going on. During this frenzy of activity, I
removed PlayOn and BitTorrent and shut down the firewall permissions
for incoming connections on both my Windows Firewall and the ATT firewall
for my broadband connection.

I also searched for disappearing taskbar icons as a symptom of my issues
and found a forum thread that directed me to make a copy of explorer.exe,
rename it explorer1.exe, and rewrite the registry to have Windows recognize
the new app. Unfortunately, after so many cache cleanings, I have lost the
history entry for this action and can't remember which registry entries
I changed.

None of the scans showed any issues except for Malwarebytes, which found
and quarantined one memory issue and three registry issues. I have
attached the log for this scan AS WELL AS the log from the scan I
performed when following your guidelines on your malware removal forum
guide. The original log is dated 2011-02-19 and the subsequent log is
dated 2011-02-22.

I also tried to start Windows in safe mode, but it froze up on the entry
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS\system32\DRIVERS\agp440.sys
and still freezes at that point now.

I noticed Avira taking massive amounts of memory and system resources,
so I uninstalled it.

Later, when I was following your guidelines, I was instructed to disable
any anti-virus software but I kept running into notifications that Avira was
active, enabled and running. However, IT WAS NOT LISTED in Add/Remove
Programs, Windows Defender Software Explorer, taskmgr.exe, or
Process Explorer.

Windows Defender processes (MsMpEng.exe and MSASCUI.exe) were also hogging
huge amounts of system resources, so I disabled Windows Defender.

I also went to another Malware forum, techsupportforum.com, and started
following their posting guidelines, downloading and installing DDS.scr and
gmer.exe, before I found your forum and found it to be friendlier and more
accessible.

Everything I have done since then has been in accordance to your posted
guidelines.

whew.

I apologize for the outrageous length of this play-by-play, but I thought
the more information I gave you the better chance you would have helping me
resolve this issue.

Thank you in advance for your time and help.

-lc

 

2nd post with last two attached logs

Here are the final two logs.

Thanks again,
-lc

 

OK here are the logs you requested!

Sorry I forgot to include the MGlogs .zip file. Dangit, I was trying so hard to be thorough.

I also have one more question...my ipod was connected several times during the infection. Is it possible the virus/worm/trojan compromised my ipod as well?

Thanks again!
-lc

 

The remaining issues are: my shutdown takes about 10 minutes, Window Security Center says Avira Anti-Vir is updated and active but I uninstalled it a while ago and it does not appear in process explorer or task manager or in the program files...Combofix also detected it and gave me two error screens about it, I uninstalled Roxio and it showed back up in process explorer during startup.

When Combofix was running, I got a notification called PEV.cfxxe

C:\WINDOWS\system32\atipdlxx.dll is corrupt or unreadable

and

C:\WINDOWS\system32\Oemdspif.dll is corrupt or unreadable

When Combofix was generating its log, the system abruptly shut down and ran chkdsk. Should I try to track down the chkdsk log?

After chkdsk finished, combofix tried to upload to its server and was unable to. It gave me a file to try manually, which I did, but it was also unsuccessful.

Thanks again for your help!
-lc