[In Progress] Google redirect problem. 5 steps followed, logs pasted here

By Helmeticus
Oct 28, 2011
  1. Thank you for any help you may share!


    Malwarebytes' Anti-Malware
    Database version: 8033
    Windows 6.0.6001 Service Pack 1
    Internet Explorer 8.0.6001.18943
    10/28/2011 1:44:34 AM
    mbam-log-2011-10-28 (01-44-34).txt
    Scan type: Quick scan
    Objects scanned: 178608
    Time elapsed: 9 minute(s), 14 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 8
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 2
    Files Infected: 25
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{0196479A-C9AE-475A-8784-8FCF28331106} (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0196479A-C9AE-475A-8784-8FCF28331106} (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0196479A-C9AE-475A-8784-8FCF28331106} (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0196479A-C9AE-475A-8784-8FCF28331106} (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.
    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\-1472955481 (Trojan.Agent.Gen) -> Value: -1472955481 -> Quarantined and deleted successfully.
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500 (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\download (Backdoor.Bot) -> Quarantined and deleted successfully.
    Files Infected:
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\a_friend.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\Users\Ryan\AppData\Local\Temp\jar_cache5957979960257972422.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Users\Ryan\AppData\Local\Temp\0.1807455868082134.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
    c:\Users\Ryan\AppData\Local\Temp\0.1822530675191193.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
    c:\Users\Ryan\AppData\Local\Temp\0.3707323280140855.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
    c:\Users\Ryan\local settings\application data\tcpipadmin.dll (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
    c:\Users\Ryan\AppData\Local\tcpipadmin.dll (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
    c:\Users\Ryan\AppData\Local\Temp\nsg8344.tmp\update.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\aliases.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\control.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\fullname.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\hallmark.gif (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\ident.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\identd.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\instsrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\mirc.ico (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\mirc.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\nicks.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\notify.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\popups.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\remote.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\servers.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\users.ini (Backdoor.Bot) -> Quarantined and deleted successfully.

    GMER -
    Rootkit quick scan 2011-10-28 02:06:25
    Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.01.0
    Running: 1fux75y5.exe; Driver: C:\Users\Ryan\AppData\Local\Temp\pxldrpog.sys

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_23
    Run by Ryan at 2:07:49 on 2011-10-28
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3573.2098 [GMT -7:00]
    AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    ============== Running Processes ===============
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Dell\DellDock\DockLogin.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\PharosSystems\Core\CTskMstr.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Lexmark Pro700 Series\lxeemon.exe
    C:\Program Files\Lexmark Pro700 Series\ezprint.exe
    C:\Program Files\Logitech\SetPointP\SetPoint.exe
    C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
    C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    ============== Pseudo HJT Report ===============
    uDefault_Page_URL = hxxp://
    uStart Page = hxxp://
    uWindow Title = Internet Explorer provided by Dell
    uInternet Settings,ProxyOverride = <local>;*.local
    uInternet Settings,ProxyServer = http=
    mSearchAssistant = hxxp://{searchTerms}&f=4
    uURLSearchHooks: H - No File
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
    TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
    EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Google Update] "c:\users\ryan\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [Leadertech Update] rundll32 ",DllRegisterServer
    uRun: [Classes Update] rundll32 ",DllRegisterServer
    uRun: [Canon Update] rundll32 ",DllRegisterServer
    uRun: [GoogleTrayTray] rundll32.exe ",DllRegisterServer
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
    mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [lxeemon.exe] "c:\program files\lexmark pro700 series\lxeemon.exe"
    mRun: [EzPrint] "c:\program files\lexmark pro700 series\ezprint.exe"
    mRun: [Lexmark Pro700 Series Fax Server] "c:\program files\lexmark pro700 series\fm3032.exe" /s
    mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
    mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
    mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
    mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    StartupFolder: c:\users\ryan\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Trusted Zone:\online
    Trusted Zone:\ttlc
    DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://
    DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://
    TCP: DhcpNameServer =
    TCP: Interfaces\{A2E726EA-6ADB-4993-8943-909C48D701A9} : DhcpNameServer =
    TCP: Interfaces\{F5EDA4B1-EA37-4EBA-A1BF-B549D2CF39BB} : DhcpNameServer =
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    ================= FIREFOX ===================
    FF - ProfilePath - c:\users\ryan\appdata\roaming\mozilla\firefox\profiles\faeca8v1.default\
    FF - prefs.js: - Search
    FF - prefs.js: browser.startup.homepage - hxxp://
    FF - prefs.js: keyword.URL - hxxp://{searchTerms}&f=4&hl={language}&src=chrm
    FF - prefs.js: network.proxy.http -
    FF - prefs.js: network.proxy.http_port - 53902
    FF - prefs.js: network.proxy.type - 1
    FF - plugin: c:\users\ryan\appdata\local\google\update\\npGoogleOneClick8.dll
    FF - plugin: c:\users\ryan\appdata\roaming\move networks\plugins\npqmp071503000010.dll
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-27 36000]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-7-25 73728]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-27 86224]
    R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-27 110032]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-27 74640]
    R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-4-28 161048]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
    R2 lxee_device;lxee_device;c:\windows\system32\lxeecoms.exe -service --> c:\windows\system32\lxeecoms.exe -service [?]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-7-25 111616]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-13 136176]
    S2 lxeeCATSCustConnectService;lxeeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeeserv.exe [2010-1-10 98984]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-13 136176]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
    S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2008-1-20 19968]
    =============== Created Last 30 ================
    2011-10-28 08:51:30 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2190ab69-52ef-4402-92c0-6cac921f0389}\offreg.dll
    2011-10-28 08:31:49 -------- d-----w- c:\users\ryan\appdata\roaming\Malwarebytes
    2011-10-28 08:31:15 -------- d-----w- c:\programdata\Malwarebytes
    2011-10-28 08:31:11 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-28 08:31:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-27 16:22:27 -------- d-----w- c:\users\ryan\appdata\roaming\Avira
    2011-10-27 16:16:28 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-10-27 16:16:28 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-10-27 16:16:28 -------- d-----w- c:\programdata\Avira
    2011-10-27 16:16:28 -------- d-----w- c:\program files\Avira
    2011-10-25 23:42:42 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2190ab69-52ef-4402-92c0-6cac921f0389}\mpengine.dll
    ==================== Find3M ====================
    ============= FINISH: 2:08:27.99 ===============

    DDS (Ver_2011-08-26.01)
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 7/25/2009 3:18:50 PM
    System Uptime: 10/28/2011 1:51:07 AM (1 hours ago)
    Motherboard: Dell Inc. | | 0U990C
    Processor: Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz | Microprocessor | 2000/166mhz
    ==== Disk Partitions =========================
    C: is FIXED (NTFS) - 220 GiB total, 39.659 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 5.309 GiB free.
    E: is CDROM ()
    ==== Disabled Device Manager Items =============
    ==== System Restore Points ===================
    ==== Installed Programs ======================
    Update for Microsoft Office 2007 (KB2508958)
    32 Bit HP CIO Components Installer
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.3.0
    Adobe Shockwave Player 11.5
    Amazon MP3 Downloader 1.0.5
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Avira Free Antivirus
    Canon Easy-WebPrint EX
    Canon IJ Network Scan Utility
    Canon IJ Network Tool
    Canon MP Navigator EX 3.1
    Canon MX870 series MP Drivers
    Canon MX870 series User Registration
    Canon Speed Dial Utility
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities My Printer
    Canon Utilities Solution Menu
    Cisco Systems VPN Client
    Citrix Presentation Server Client
    Conexant HDA D330 MDC V.92 Modem
    Dell DataSafe Online
    Dell Dock
    Dell Driver Download Manager
    Dell Getting Started Guide
    Dell Photo Printer 720
    Dell Support Center (Support Software)
    Dell Touchpad
    Digital Line Detect
    doPDF 6.2 printer
    Google Chrome
    Google Desktop
    Google Earth
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Matrix Storage Manager
    Intel(R) PROSet/Wireless Software
    iPhone Configuration Utility
    Java Auto Updater
    Java(TM) 6 Update 23
    Java(TM) 6 Update 5
    Lexmark Printable Web
    Lexmark Pro700 Series
    Lexmark Tools for Office
    Logitech SetPoint 6.15
    Malwarebytes' Anti-Malware version
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Modem Diagnostic Tool
    Mozilla Firefox (3.0.13)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Plants vs. Zombies
    Quicken 2009
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    Seagate Manager Installer
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553074)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Excel 2007 (KB2553073)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Skype Toolbars
    Skype™ 5.0
    TurboTax 2009
    TurboTax 2009 wcaiper
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wrapper
    TurboTax 2010
    TurboTax 2010 wcaiper
    TurboTax 2010 WinPerFedFormset
    TurboTax 2010 WinPerReleaseEngine
    TurboTax 2010 WinPerTaxSupport
    TurboTax 2010 wrapper
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office OneNote 2007 (KB980729)
    VoiceOver Kit
    WIDCOMM Bluetooth Software
    Windows Live OneCare safety scanner
    Yahoo! Software Update
    Yahoo! Toolbar
    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot!

    I'd like to give you some information first- the choice is yours: You main infection has been due to Backdoor.bots. While some entries have been removed in Mbam, please read the following:
    What is a
    And yes- it makes Registry changes to the firewall, the Security Center. It can do or cause:
    1. Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
    2. Data theft (e.g. retrieving passwords or credit card information)
    3. Installation of software, including third-party malware
    4. Downloading or uploading of files on the user's computer
    5. Modification or deletion of files
    6. Keystroke logging
    7. Watching the user's screen
    8. Wasting the computer's storage space
    9. Crashing the computer

    Being advised of this, would you rather consider a reformat/reinstall instead of an attempt to clean which may not find or remove all if it's code?
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
  3. Helmeticus

    Helmeticus TS Rookie Topic Starter

    Reformatting / reinstalling

    Thanks for your response, Bobbye! I have decided to reformat and reinstall as I do indeed bank online. Only two questions remain:

    1. USB flash drive/ backing up data: I use a USB flash drive for some critical files. How can I be sure I won't re-corrupt my computer with this if I continue to use it after I reformat/reinstall? Also, I have a backup hard drive that I use for files only, no applications. Do I need to reformat this as well?

    2. Easy instructions for reformatting/reinstalling: I am unable to locate any system disk that might have come with the computer. I'm pretty novice with system details. Can you point me to some good instructions to efficiently reformat/reboot my machine?

    Thanks again for your generous help with this very frustrating problem!
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You can disinfect the flash drive and any other removable drives:

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    Regarding this:

    The Recycler is a hidden, protected system file. It is the folder where processes that are deleted are kept. They are eventually overwritten unless you use one of the overwriting programs. I'd like to try and remove these entries.

    This has 2 conditions:
    1. the Recycle bin itself has to be empty.
    2. Hidden files and folders have to show:
    Show Hidden Files and Folders in Windows Vista and Windows 7:
    • Click on the Start button and select Computer
    • Press the Alt key on your keyboard and click on Tools
    • Select Folder Options
    • Click the View tab and make sure that Show hidden files and folders is selected under Hidden files and folders
    • Next, uncheck the box next to Hide protected operating system files (Recommended)
    • Then, uncheck the box next to Hide extensions for known file types
    • Click Apply then click OK
    Please be sure to rehide the files and folders when you have finished.
    Use Windows Explorer to navigate to the Recycler. Click to open and look for this SID on the right screen: s-1-5-21-606747145-1085031214-725345543-500 This is the account with the deleted files.

    Try doing a right click> Delete on this account.
    Please note, for some unknown reason, this will not always allow the delete, instead giving a message that it's "in use.".

    If that happens, try the following:
    1. Click Start, click Run, type cmd.exe in the Open box, and then click OK.
    2. Change to the drive and folder where you deleted the files. For example if you deleted a file from the C:\Windows folder, type cd\windows at the C: prompt, and then press ENTER.
    3. From that folder type cd recycler, and then press ENTER.
    4. From the Recycler folder type dir, and then press ENTER. You may see some UserSID folders where SID is the security ID for each user who deleted files in that folder.
    5. Type cd userSID, and then press ENTER.
    6. Type del *.*, and then press ENTER. If you receive an error message that indicates some files are open, quit all the programs running on your computer.
    7. Type cd.., press ENTER, and then repeat steps 5-7 for each folder in the Recycler folder.
    8. Type exit, and then press ENTER.

    CMD instructions courtesy Microsoft.
    You will find excellent reformat/reinstall instructions here:

    I think you made a wise decision. There is no way of knowing how long the bot was around. With so many entries in the Recycler, assuming the worse is the safest way to go.
  5. Helmeticus

    Helmeticus TS Rookie Topic Starter

    Reformatting / reinstalling with Windows 7

    I was thinking of upgrading to windows 7 with the reformat / reinstall. Do you think that's a good idea? And if so, will my reformat / reinstall instructions differ from the link you have given me?

    You've been so helpful. I appreciate it tremendously! THANK YOU!

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...