TechSpot

And another Google redirect problem

Solved
By endofdays
Jul 2, 2010
  1. I noticed today that I'm getting redirected to search engine sites when clicking on links in Google. I haven't used the net for a few days, and I'm normally careful about clicking links but Java hasn't been updated for a while (it is now) so I don't know if that's allowed a virus in the back door and I'm only just noticing it.

    I've run AVG and Spyware Doctor and neither of those are picking anything up. I downloaded and ran Hitman Pro 3.5.6, which picked up and removed a Trojan but I'm still getting redirected. Malwayrebytes hasn't picked anything up yet, though it hasn't finished scanning. I ran Hijack This and have attached the log. I can't make any sense of it so if anyone's able to take a look and offer some advice I'd really appreciate it.
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 47,156   +264

  3. endofdays

    endofdays TS Rookie Topic Starter

    Thanks for the reply.

    I spent a lot of time running anti virus, spyware and malware programmes last night - Spyware Doctor picked up and removed a Trojan, as did Hitman Pro - and when I went online this morning the redirect had stopped. I did install Microsoft Security Essentials as another forum suggested that might find something, though as I also have AVG installed I'll removed the Microsoft programme later.

    I've followed the steps though and Malwarebytes picked up and removed a Trojan. I did have trouble with GMER - I ran it in both normal and safe mode and both times the computer shut itself down and a blue screen came up saying Windows had to close to prevent damage to the computer. I went through the rest of the steps though and have included the Malwarebytes and DDS logs below, and have attached the Malwarebytes, DDS and Attach logs to this post as the text box wasn't big enough for me to be able to include them all.


    Malwarebytes:
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 6.0.6000
    Internet Explorer 7.0.6000.17037

    03/07/2010 08:12:55
    mbam-log-2010-07-03 (08-12-55).txt

    Scan type: Quick scan
    Objects scanned: 118079
    Time elapsed: 12 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwajepixoxi (Trojan.Agent.U) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    DDS:
    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Bethan at 9:11:40.20 on 03/07/2010
    Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_20
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1789.853 [GMT 1:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    SP: Microsoft Security Essentials *enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDE}
    SP: Spyware Doctor *enabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
    SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\FSC\TouchPad HotKey Utility\TouchPad_HotKey.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVG\AVG9\avgtray.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Windows\ehome\ehtray.exe
    D:\Program Files\WZQKPICK.EXE
    C:\Program Files\FSC\Wireless Utility\WirelessSelector.exe
    D:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
    D:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Users\Bethan\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.orange.co.uk
    uDefault_Page_URL = hxxp://www.orange.co.uk
    uInternet Settings,ProxyOverride = <local>
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: Orange Toolbar: {e97b5f2e-ca8e-4d34-bda3-44eec4ed2b12} - c:\program files\orange toolbar uk\ToolbarContainer211.dll
    TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    EB: Orange Toolbar: {e97b5f2e-ca8e-4d34-bda3-44eec4ed2b12} - c:\program files\orange toolbar uk\ToolbarContainer211.dll
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [TouchPadHotKey] c:\program files\fsc\touchpad hotkey utility\TouchPad_HotKey.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [<NO NAME>]
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
    mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\users\bethan\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - d:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
    StartupFolder: c:\users\bethan\appdata\roaming\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - d:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - d:\program files\WZQKPICK.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wirele~1.lnk - c:\program files\fsc\wireless utility\WirelessSelector.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    AppInit_DLLs: avgrsstx.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\bethan\appdata\roaming\mozilla\firefox\profiles\tltbydfq.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - component: c:\users\bethan\appdata\roaming\mozilla\firefox\profiles\tltbydfq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\users\bethan\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: general.useragent.extra.zencast -
    ============= SERVICES / DRIVERS ===============

    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-10 218592]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-4 216200]
    R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2008-2-23 29584]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-4 242896]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-27 308064]
    R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-1-4 112592]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
    R3 SiS6350;SiS6350;c:\windows\system32\drivers\SISGRKMD.sys [2007-9-14 456568]
    R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\drivers\SiSGB6.sys [2007-10-26 47616]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]

    =============== Created Last 30 ================

    2010-07-03 07:32:21 93056 ----a-w- C:\ugliipow.sys
    2010-07-03 07:29:32 250051986 ----a-w- c:\windows\MEMORY.DMP
    2010-07-02 21:43:31 0 d-----w- c:\program files\Microsoft Security Essentials
    2010-07-02 19:05:19 478 ----a-w- c:\windows\system32\.crusader
    2010-07-02 18:57:15 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-07-02 18:57:03 0 d-----w- c:\programdata\Hitman Pro
    2010-07-02 18:56:52 0 d-----w- c:\program files\Hitman Pro 3.5
    2010-07-02 18:23:03 0 d-----w- c:\programdata\Sun
    2010-07-02 18:22:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-26 08:12:06 62744 ----a-w- c:\windows\system32\xinput1_2.dll
    2010-06-26 08:12:06 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
    2010-06-26 08:11:23 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
    2010-06-26 08:10:34 118520 ----a-w- c:\windows\system32\PxInsI64.exe
    2010-06-26 08:10:34 115960 ----a-w- c:\windows\system32\PxCpyI64.exe

    ==================== Find3M ====================

    2010-06-08 02:16:01 763832 ----a-w- c:\windows\BDTSupport.dll
    2010-06-08 00:21:02 1652664 ----a-w- c:\windows\PCTBDCore.dll
    2010-06-04 20:20:54 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-03-29 17:03:08 86016 ----a-w- c:\windows\inf\infstrng.dat
    2010-03-29 17:03:08 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-03-29 17:03:08 51200 ----a-w- c:\windows\inf\infpub.dat
    2008-12-31 11:14:56 174 --sha-w- c:\program files\desktop.ini
    2008-10-19 15:20:29 665600 ----a-w- c:\windows\inf\drvindex.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2010-03-14 10:31:49 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
    2010-03-14 10:31:49 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
    2010-03-14 10:31:49 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
    2007-09-10 06:27:38 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

    ============= FINISH: 9:14:06.20 ===============
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    You can't run two AV programs at the same time.
    AVG, or MSE must go before we proceed further.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. endofdays

    endofdays TS Rookie Topic Starter

    I uninstalled MSE before running ComboFix. Here's the ComboFix report:

    ComboFix 10-07-01.02 - Bethan 03/07/2010 18:14:32.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1789.890 [GMT 1:00]
    Running from: c:\users\Bethan\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    SP: Spyware Doctor *disabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
    SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\Thumbs.db

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_NPF
    -------\Service_NPF


    ((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))
    .

    2010-07-03 17:24 . 2010-07-03 17:29 -------- d-----w- c:\users\Bethan\AppData\Local\temp
    2010-07-03 17:24 . 2010-07-03 17:24 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-07-03 07:32 . 2010-07-03 07:32 93056 ----a-w- C:\ugliipow.sys
    2010-07-03 06:51 . 2010-04-10 21:16 38784 ----a-w- c:\users\Bethan\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-07-02 18:57 . 2010-07-03 08:50 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-07-02 18:57 . 2010-07-02 19:05 -------- d-----w- c:\programdata\Hitman Pro
    2010-07-02 18:56 . 2010-07-02 18:56 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-07-02 18:22 . 2010-07-02 18:22 -------- d-----w- c:\program files\Common Files\Java
    2010-07-02 18:22 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-26 08:12 . 2006-07-28 08:30 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
    2010-06-26 08:12 . 2006-07-28 08:30 62744 ----a-w- c:\windows\system32\xinput1_2.dll
    2010-06-26 08:11 . 2005-05-26 14:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
    2010-06-26 08:10 . 2006-11-02 15:57 118520 ----a-w- c:\windows\system32\PxInsI64.exe
    2010-06-26 08:10 . 2006-10-18 18:43 115960 ----a-w- c:\windows\system32\PxCpyI64.exe
    2010-06-26 07:14 . 2010-06-26 07:14 -------- d-----w- c:\users\Bethan\AppData\Roaming\Sony Corporation
    2010-06-26 06:57 . 2010-06-26 06:57 -------- d-----w- c:\users\Bethan\AppData\Roaming\InstallShield
    2010-06-20 20:40 . 2010-07-02 18:28 120 ----a-w- c:\users\Bethan\AppData\Local\Bludunifu.dat
    2010-06-20 20:40 . 2010-07-02 07:35 0 ----a-w- c:\users\Bethan\AppData\Local\Ysefuliviha.bin
    2010-06-20 20:40 . 2010-06-20 20:40 -------- d-----w- c:\users\Bethan\AppData\Local\{D19A7CDE-370F-4CCA-8145-412C98A03C1E}
    2010-06-04 20:22 . 2010-06-04 20:22 29512 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
    2010-06-04 20:22 . 2010-06-04 20:22 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-03 17:29 . 2008-12-31 10:36 -------- d-----w- c:\program files\Spyware Doctor
    2010-07-03 09:28 . 2010-03-30 16:42 0 ----a-w- c:\users\Bethan\AppData\Local\prvlcl.dat
    2010-07-03 06:54 . 2010-01-14 15:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-03 06:38 . 2008-02-20 22:17 -------- d-----w- c:\program files\Common Files\Adobe
    2010-07-02 18:22 . 2008-05-18 11:38 -------- d-----w- c:\program files\Java
    2010-06-27 21:13 . 2008-05-18 14:12 -------- d-----w- c:\users\Bethan\AppData\Roaming\vlc
    2010-06-26 08:13 . 2008-02-21 07:04 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-06-26 06:39 . 2009-11-12 18:03 -------- d-----w- c:\programdata\avg9
    2010-06-08 02:16 . 2010-01-04 08:59 763832 ----a-w- c:\windows\BDTSupport.dll
    2010-06-08 00:21 . 2010-01-04 08:59 1652664 ----a-w- c:\windows\PCTBDCore.dll
    2010-06-04 20:20 . 2009-03-04 20:28 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-06-04 20:20 . 2008-02-23 14:28 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-06-01 17:37 . 2009-11-12 17:32 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-04-29 14:39 . 2010-01-14 15:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 14:39 . 2010-01-14 15:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-24 20:47 . 2010-04-24 20:47 50354 ----a-w- c:\users\Bethan\AppData\Roaming\Facebook\uninstall.exe
    2010-04-08 13:29 . 2009-05-10 20:10 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2007-09-10 06:27 . 2007-09-10 04:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-09-10 1006264]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-10 869936]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 4702208]
    "TouchPadHotKey"="c:\program files\FSC\TouchPad HotKey Utility\TouchPad_HotKey.exe" [2007-08-13 364544]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-08 236016]
    "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-28 1287120]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-04 2065248]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

    c:\users\Bethan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    BBC iPlayer Desktop.lnk - d:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-4-10 95232]
    Picture Motion Browser Media Check Tool.lnk - d:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2010-6-26 368640]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-2-23 113664]
    WinZip Quick Pick.lnk - d:\program files\WZQKPICK.EXE [2009-10-13 495432]
    WirelessSelector.lnk - c:\program files\FSC\Wireless Utility\WirelessSelector.exe [2008-2-21 650752]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
    S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-27 216200]
    S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-06-04 242896]
    S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-27 308064]
    S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-22 112592]
    S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
    S3 SiS6350;SiS6350;c:\windows\system32\DRIVERS\SISGRKMD.sys [2007-08-14 456568]
    S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSGB6.sys [2007-07-04 47616]


    --- Other Services/Drivers In Memory ---

    *Deregistered* - PCTSDInjDriver32
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.orange.co.uk
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Bethan\AppData\Roaming\Mozilla\Firefox\Profiles\tltbydfq.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
    FF - component: c:\users\Bethan\AppData\Roaming\Mozilla\Firefox\Profiles\tltbydfq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\users\Bethan\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: general.useragent.extra.zencast - .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-03 18:30
    Windows 6.0.6000 NTFS

    detected NTDLL code modification:
    ZwClose

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(3780)
    c:\windows\System32\npmproxy.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\Spyware Doctor\pctsSvc.exe
    .
    **************************************************************************
    .
    Completion time: 2010-07-03 18:34:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-07-03 17:34

    Pre-Run: 2,244,231,168 bytes free
    Post-Run: 1,827,729,408 bytes free

    Current=1 Default=1 Failed=0 LastKnownGood=64 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64
    - - End Of File - - B69FE513BD34A29C2C3DFEC1FFF081C2



    I did have to restart my computer after the ComboFix reboot because everytime I tried to open a programme (like Mozilla) it came up with an error message. I can't remember all it said, but it was something to do with the registry file being marked for deletion or something similar. Not sure if that means anything though.
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    Yes, that's a common message ("file being marked for deletion"), if the computer is not restarted.

    How is redirection?

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    C:\ugliipow.sys
    c:\users\Bethan\AppData\Local\Ysefuliviha.bin
    c:\users\Bethan\AppData\Local\prvlcl.dat
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  7. endofdays

    endofdays TS Rookie Topic Starter

    Ah that's cool. It was fine after my manual restart so that must have been the problem.

    Redirection hasn't been a problem since I switched on the machine this morning, but Spyware Doctor has picked up another 25 Trojans in the system, which is a bit worrying even though it says it's deleted them.

    I'll drag that text file into ComboFix now and post the results.
     
  8. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    OK.........
     
  9. endofdays

    endofdays TS Rookie Topic Starter

    Okey doke, log results are:

    ComboFix 10-07-01.02 - Bethan 03/07/2010 19:11:29.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1789.835 [GMT 1:00]
    Running from: c:\users\Bethan\Desktop\ComboFix.exe
    Command switches used :: c:\users\Bethan\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    SP: Spyware Doctor *disabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
    SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    FILE ::
    "C:\ugliipow.sys"
    "c:\users\Bethan\AppData\Local\prvlcl.dat"
    "c:\users\Bethan\AppData\Local\Ysefuliviha.bin"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\ugliipow.sys
    c:\users\Bethan\AppData\Local\prvlcl.dat
    c:\users\Bethan\AppData\Local\Ysefuliviha.bin

    .
    ((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))
    .

    2010-07-03 18:19 . 2010-07-03 18:19 -------- d-----w- c:\users\Bethan\AppData\Local\temp
    2010-07-03 18:19 . 2010-07-03 18:19 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-07-03 18:19 . 2010-07-03 18:19 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-07-03 18:09 . 2010-07-03 18:10 -------- d-----w- C:\32788R22FWJFW
    2010-07-03 06:51 . 2010-04-10 21:16 38784 ----a-w- c:\users\Bethan\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-07-02 18:57 . 2010-07-03 08:50 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-07-02 18:57 . 2010-07-02 19:05 -------- d-----w- c:\programdata\Hitman Pro
    2010-07-02 18:56 . 2010-07-02 18:56 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-07-02 18:22 . 2010-07-02 18:22 -------- d-----w- c:\program files\Common Files\Java
    2010-07-02 18:22 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-26 08:12 . 2006-07-28 08:30 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
    2010-06-26 08:12 . 2006-07-28 08:30 62744 ----a-w- c:\windows\system32\xinput1_2.dll
    2010-06-26 08:11 . 2005-05-26 14:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
    2010-06-26 08:10 . 2006-11-02 15:57 118520 ----a-w- c:\windows\system32\PxInsI64.exe
    2010-06-26 08:10 . 2006-10-18 18:43 115960 ----a-w- c:\windows\system32\PxCpyI64.exe
    2010-06-26 07:14 . 2010-06-26 07:14 -------- d-----w- c:\users\Bethan\AppData\Roaming\Sony Corporation
    2010-06-26 06:57 . 2010-06-26 06:57 -------- d-----w- c:\users\Bethan\AppData\Roaming\InstallShield
    2010-06-20 20:40 . 2010-07-02 18:28 120 ----a-w- c:\users\Bethan\AppData\Local\Bludunifu.dat
    2010-06-20 20:40 . 2010-06-20 20:40 -------- d-----w- c:\users\Bethan\AppData\Local\{D19A7CDE-370F-4CCA-8145-412C98A03C1E}
    2010-06-04 20:22 . 2010-06-04 20:22 29512 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
    2010-06-04 20:22 . 2010-06-04 20:22 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-03 18:03 . 2008-12-31 10:36 -------- d-----w- c:\program files\Spyware Doctor
    2010-07-03 06:54 . 2010-01-14 15:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-03 06:38 . 2008-02-20 22:17 -------- d-----w- c:\program files\Common Files\Adobe
    2010-07-02 18:22 . 2008-05-18 11:38 -------- d-----w- c:\program files\Java
    2010-06-27 21:13 . 2008-05-18 14:12 -------- d-----w- c:\users\Bethan\AppData\Roaming\vlc
    2010-06-26 08:13 . 2008-02-21 07:04 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-06-26 06:39 . 2009-11-12 18:03 -------- d-----w- c:\programdata\avg9
    2010-06-08 02:16 . 2010-01-04 08:59 763832 ----a-w- c:\windows\BDTSupport.dll
    2010-06-08 00:21 . 2010-01-04 08:59 1652664 ----a-w- c:\windows\PCTBDCore.dll
    2010-06-04 20:20 . 2009-03-04 20:28 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-06-04 20:20 . 2008-02-23 14:28 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-06-01 17:37 . 2009-11-12 17:32 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-04-29 14:39 . 2010-01-14 15:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 14:39 . 2010-01-14 15:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-24 20:47 . 2010-04-24 20:47 50354 ----a-w- c:\users\Bethan\AppData\Roaming\Facebook\uninstall.exe
    2010-04-08 13:29 . 2009-05-10 20:10 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2007-09-10 06:27 . 2007-09-10 04:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-09-10 1006264]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-10 869936]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 4702208]
    "TouchPadHotKey"="c:\program files\FSC\TouchPad HotKey Utility\TouchPad_HotKey.exe" [2007-08-13 364544]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-08 236016]
    "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-28 1287120]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-04 2065248]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

    c:\users\Bethan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    BBC iPlayer Desktop.lnk - d:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-4-10 95232]
    Picture Motion Browser Media Check Tool.lnk - d:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2010-6-26 368640]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-2-23 113664]
    WinZip Quick Pick.lnk - d:\program files\WZQKPICK.EXE [2009-10-13 495432]
    WirelessSelector.lnk - c:\program files\FSC\Wireless Utility\WirelessSelector.exe [2008-2-21 650752]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
    S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-27 216200]
    S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-06-04 242896]
    S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-27 308064]
    S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-22 112592]
    S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
    S3 SiS6350;SiS6350;c:\windows\system32\DRIVERS\SISGRKMD.sys [2007-08-14 456568]
    S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSGB6.sys [2007-07-04 47616]


    --- Other Services/Drivers In Memory ---

    *Deregistered* - PCTSDInjDriver32
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.orange.co.uk
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\Bethan\AppData\Roaming\Mozilla\Firefox\Profiles\tltbydfq.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
    FF - component: c:\users\Bethan\AppData\Roaming\Mozilla\Firefox\Profiles\tltbydfq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\users\Bethan\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: general.useragent.extra.zencast - .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-03 19:19
    Windows 6.0.6000 NTFS

    detected NTDLL code modification:
    ZwClose

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-07-03 19:23:33
    ComboFix-quarantined-files.txt 2010-07-03 18:23
    ComboFix2.txt 2010-07-03 17:34

    Pre-Run: 1,760,825,344 bytes free
    Post-Run: 1,590,317,056 bytes free

    Current=1 Default=1 Failed=0 LastKnownGood=64 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64
    - - End Of File - - 48E99E32A3000EEB908E807ACDAC51E2



    Thanks so much for all your help!
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ======================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  11. endofdays

    endofdays TS Rookie Topic Starter

    Sorry for the late reply - sleep called! I've had to attach both files as they were too long to fit in the text box.
     

    Attached Files:

     
  12. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    You're running really low on C drive free space:
    =====================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      @Alternate Data Stream - 174 bytes -> C:\ProgramData\TEMP:DFC5A2B2
      @Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
     
  13. endofdays

    endofdays TS Rookie Topic Starter

    I know. I thought it'd be plenty when I partitioned the hard drive but that was about 4 years ago now. I want to move some of the free space on the D drive to the C drive but I need to defrag both drives and then move some stuff over, but I need to find some instructions to follow carefully before I do that.

    I've got a file called desktop.ini on the desktop following the last Combofix scan before it was uninstalled. Can I delete those? Here's the OTL log:

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\Windows\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
    ADS C:\ProgramData\TEMP:A8ADE5D8 deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Bethan
    ->Temp folder emptied: 10515 bytes
    ->Temporary Internet Files folder emptied: 927455835 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 84806263 bytes
    ->Flash cache emptied: 42345 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 72932 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 965.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Bethan
    ->Flash cache emptied: 0 bytes

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb

    C:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.7.0 log created on 07042010_173456

    Files\Folders moved on Reboot...
    C:\Users\Bethan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF0003.tmp moved successfully.

    Registry entries deleted on Reboot...
     

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    Good :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  15. endofdays

    endofdays TS Rookie Topic Starter

    Takes a while to scan doesn't it?! Here are the results, I'm guessing they're good:

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Sunday, July 4, 2010
    Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Sunday, July 04, 2010 15:01:03
    Records in database: 4247770
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    F:\

    Scan statistics:
    Objects scanned: 110847
    Threats found: 0
    Infected objects found: 0
    Suspicious objects found: 0
    Scan duration: 02:26:56

    No threats found. Scanned area is clean.

    Selected area has been scanned.
     

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    Nice :)

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    =====================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  17. endofdays

    endofdays TS Rookie Topic Starter

    Thank you! I'm heading to bed as it's 11pm here, but I'll follow these steps tomorrow. Thanks so much for your help with this - I really, really appreciate it.
     
  18. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    You're very welcome [​IMG]
     
  19. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    Any word about your computer?
     
  20. endofdays

    endofdays TS Rookie Topic Starter

    Sorry, I haven't been online for a few days. It all seems to be working fine now - no problems with Google and everything's coming up clean when the virus/spyware checks are done. Thanks again.
     
  21. Broni

    Broni Malware Annihilator Posts: 47,156   +264

    You're very welcome [​IMG]
    Good luck :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.