TechSpot

Google redirect and other nasties..

By davidanthony
Nov 23, 2010
  1. Need help cleaning up my wife's pc.....


    DDS (Ver_10-11-10.01) - NTFSx86
    Run by Dave at 19:03:00.64 on Sat 11/20/2010
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1555 [GMT -4:00]

    AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgchsvx.exe
    C:\Program Files\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Documents and Settings\Dave.SHELLEY-7C3A8E9\Desktop\dds(2).scr

    ============== Pseudo HJT Report ===============

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: PlaySushi: {21608b66-026f-4dcb-9244-0daca328dced} - c:\program files\playsushi\PSText.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - c:\program files\playsushi\PSText.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://pogo.oberon-media.com/online2/pogo/zenerchi/ZenerchiWeb.1.0.0.10.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\dave~1.she\applic~1\mozilla\firefox\profiles\a2da39eu.default\
    FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HotbarSA.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-10-11 6104656]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-9-10 265400]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2010-4-6 23456]

    =============== Created Last 30 ================

    2010-11-15 07:03:52 -------- d-----w- c:\windows\system32\XPSViewer
    2010-11-15 07:03:31 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2010-11-15 07:03:13 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2010-11-15 07:03:13 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2010-11-15 07:03:13 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2010-11-15 07:03:13 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2010-11-15 07:03:13 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2010-11-15 07:03:13 117760 ------w- c:\windows\system32\prntvpt.dll
    2010-11-15 07:03:12 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2010-11-15 07:03:12 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2010-11-15 07:03:10 -------- d-----w- C:\68de9481b97fa93e2d
    2010-11-15 07:00:53 -------- d-----w- c:\program files\MSXML 6.0
    2010-11-15 07:00:17 -------- d-----w- C:\ec9d36c828509df65cd6354c82
    2010-11-15 01:09:38 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
    2010-11-15 01:09:35 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
    2010-11-13 18:03:44 -------- d--h--r- C:\AHCache
    2010-11-05 23:18:23 -------- d--h--w- c:\docume~1\alluse~1.win\applic~1\Common Files
    2010-11-05 23:18:10 -------- d-----w- c:\docume~1\dave~1.she\applic~1\AVG10
    2010-11-05 23:16:54 -------- d-----w- c:\windows\system32\drivers\AVG
    2010-11-05 23:16:54 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\AVG10
    2010-11-05 20:54:16 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\MFAData
    2010-11-05 15:37:11 -------- d-----w- c:\docume~1\dave~1.she\applic~1\Malwarebytes
    2010-11-05 15:37:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-05 15:36:59 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
    2010-11-05 15:36:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-05 15:36:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-05 11:02:45 -------- d-----w- c:\windows\pss
    2010-11-05 02:51:02 -------- d-----w- c:\docume~1\dave~1.she\applic~1\Koyg
    2010-11-05 02:51:02 -------- d-----w- c:\docume~1\dave~1.she\applic~1\Boyv
    2010-11-04 21:48:36 -------- d-----w- c:\docume~1\dave~1.she\applic~1\SUPERAntiSpyware.com
    2010-11-04 21:48:36 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
    2010-11-04 21:48:31 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-11-04 21:45:09 -------- d-----w- c:\docume~1\dave~1.she\locals~1\applic~1\AskToolbar
    2010-11-01 16:05:41 -------- d-----w- c:\program files\windows
    2010-10-30 20:20:06 -------- d--h--w- C:\$AVG
    2010-10-27 10:21:10 -------- d-----w- c:\program files\tmp
    2010-10-27 10:20:59 -------- d-----w- c:\program files\Microsoft

    ==================== Find3M ====================


    ============= FINISH: 19:03:31.29 ===============



    and the gmer log...


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-11-20 18:58:40
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST3320820AS rev.3.AHG
    Running: tzwim2gj.exe; Driver: C:\DOCUME~1\DAVE~1.SHE\LOCALS~1\Temp\afnirfog.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----


    Thanks in advance...
    Dave
     
  2. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    =========================================================================

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. davidanthony

    davidanthony TS Rookie Topic Starter Posts: 64

    Hi,
    I performed the steps you recommended and the logs are at the start of this thread.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,884   +344

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...