Inactive Google redirect and other nasties..

[davidanthony]

Need help cleaning up my wife's pc.....


DDS (Ver_10-11-10.01) - NTFSx86
Run by Dave at 19:03:00.64 on Sat 11/20/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1555 [GMT -4:00]

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Documents and Settings\Dave.SHELLEY-7C3A8E9\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PlaySushi: {21608b66-026f-4dcb-9244-0daca328dced} - c:\program files\playsushi\PSText.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - c:\program files\playsushi\PSText.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://pogo.oberon-media.com/online2/pogo/zenerchi/ZenerchiWeb.1.0.0.10.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dave~1.she\applic~1\mozilla\firefox\profiles\a2da39eu.default\
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HotbarSA.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-10-11 6104656]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-9-10 265400]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2010-4-6 23456]

=============== Created Last 30 ================

2010-11-15 07:03:52 -------- d-----w- c:\windows\system32\XPSViewer
2010-11-15 07:03:31 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-11-15 07:03:13 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-11-15 07:03:13 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-11-15 07:03:13 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-11-15 07:03:13 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-11-15 07:03:13 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-11-15 07:03:13 117760 ------w- c:\windows\system32\prntvpt.dll
2010-11-15 07:03:12 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-11-15 07:03:12 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-11-15 07:03:10 -------- d-----w- C:\68de9481b97fa93e2d
2010-11-15 07:00:53 -------- d-----w- c:\program files\MSXML 6.0
2010-11-15 07:00:17 -------- d-----w- C:\ec9d36c828509df65cd6354c82
2010-11-15 01:09:38 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2010-11-15 01:09:35 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2010-11-13 18:03:44 -------- d--h--r- C:\AHCache
2010-11-05 23:18:23 -------- d--h--w- c:\docume~1\alluse~1.win\applic~1\Common Files
2010-11-05 23:18:10 -------- d-----w- c:\docume~1\dave~1.she\applic~1\AVG10
2010-11-05 23:16:54 -------- d-----w- c:\windows\system32\drivers\AVG
2010-11-05 23:16:54 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\AVG10
2010-11-05 20:54:16 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\MFAData
2010-11-05 15:37:11 -------- d-----w- c:\docume~1\dave~1.she\applic~1\Malwarebytes
2010-11-05 15:37:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-05 15:36:59 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-11-05 15:36:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-05 15:36:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-05 11:02:45 -------- d-----w- c:\windows\pss
2010-11-05 02:51:02 -------- d-----w- c:\docume~1\dave~1.she\applic~1\Koyg
2010-11-05 02:51:02 -------- d-----w- c:\docume~1\dave~1.she\applic~1\Boyv
2010-11-04 21:48:36 -------- d-----w- c:\docume~1\dave~1.she\applic~1\SUPERAntiSpyware.com
2010-11-04 21:48:36 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2010-11-04 21:48:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-04 21:45:09 -------- d-----w- c:\docume~1\dave~1.she\locals~1\applic~1\AskToolbar
2010-11-01 16:05:41 -------- d-----w- c:\program files\windows
2010-10-30 20:20:06 -------- d--h--w- C:\$AVG
2010-10-27 10:21:10 -------- d-----w- c:\program files\tmp
2010-10-27 10:20:59 -------- d-----w- c:\program files\Microsoft

==================== Find3M ====================


============= FINISH: 19:03:31.29 ===============



and the gmer log...


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-11-20 18:58:40
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST3320820AS rev.3.AHG
Running: tzwim2gj.exe; Driver: C:\DOCUME~1\DAVE~1.SHE\LOCALS~1\Temp\afnirfog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----


Thanks in advance...
Dave

 

[Broni]

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

=========================================================================

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

 

[davidanthony]

Hi,
I performed the steps you recommended and the logs are at the start of this thread.

 

[Broni]

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/