Solved And another Google redirect problem

endofdays · Jul 2, 2010

I noticed today that I'm getting redirected to search engine sites when clicking on links in Google. I haven't used the net for a few days, and I'm normally careful about clicking links but Java hasn't been updated for a while (it is now) so I don't know if that's allowed a virus in the back door and I'm only just noticing it.

I've run AVG and Spyware Doctor and neither of those are picking anything up. I downloaded and ran Hitman Pro 3.5.6, which picked up and removed a Trojan but I'm still getting redirected. Malwayrebytes hasn't picked anything up yet, though it hasn't finished scanning. I ran Hijack This and have attached the log. I can't make any sense of it so if anyone's able to take a look and offer some advice I'd really appreciate it.

Broni · Jul 3, 2010

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

endofdays · Jul 3, 2010

Thanks for the reply.

I spent a lot of time running anti virus, spyware and malware programmes last night - Spyware Doctor picked up and removed a Trojan, as did Hitman Pro - and when I went online this morning the redirect had stopped. I did install Microsoft Security Essentials as another forum suggested that might find something, though as I also have AVG installed I'll removed the Microsoft programme later.

I've followed the steps though and Malwarebytes picked up and removed a Trojan. I did have trouble with GMER - I ran it in both normal and safe mode and both times the computer shut itself down and a blue screen came up saying Windows had to close to prevent damage to the computer. I went through the rest of the steps though and have included the Malwarebytes and DDS logs below, and have attached the Malwarebytes, DDS and Attach logs to this post as the text box wasn't big enough for me to be able to include them all.

Malwarebytes:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6000
Internet Explorer 7.0.6000.17037

03/07/2010 08:12:55
mbam-log-2010-07-03 (08-12-55).txt

Scan type: Quick scan
Objects scanned: 118079
Time elapsed: 12 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hwajepixoxi (Trojan.Agent.U) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DDS:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Bethan at 9:11:40.20 on 03/07/2010
Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1789.853 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
SP: Microsoft Security Essentials *enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDE}
SP: Spyware Doctor *enabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\FSC\TouchPad HotKey Utility\TouchPad_HotKey.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\ehome\ehtray.exe
D:\Program Files\WZQKPICK.EXE
C:\Program Files\FSC\Wireless Utility\WirelessSelector.exe
D:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
D:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Bethan\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.orange.co.uk
uDefault_Page_URL = hxxp://www.orange.co.uk
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Orange Toolbar: {e97b5f2e-ca8e-4d34-bda3-44eec4ed2b12} - c:\program files\orange toolbar uk\ToolbarContainer211.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
EB: Orange Toolbar: {e97b5f2e-ca8e-4d34-bda3-44eec4ed2b12} - c:\program files\orange toolbar uk\ToolbarContainer211.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [TouchPadHotKey] c:\program files\fsc\touchpad hotkey utility\TouchPad_HotKey.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\bethan\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - d:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\users\bethan\appdata\roaming\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - d:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - d:\program files\WZQKPICK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wirele~1.lnk - c:\program files\fsc\wireless utility\WirelessSelector.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bethan\appdata\roaming\mozilla\firefox\profiles\tltbydfq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\users\bethan\appdata\roaming\mozilla\firefox\profiles\tltbydfq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\bethan\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast -
============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-10 218592]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-4 216200]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2008-2-23 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-4 242896]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-27 308064]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-1-4 112592]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
R3 SiS6350;SiS6350;c:\windows\system32\drivers\SISGRKMD.sys [2007-9-14 456568]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\drivers\SiSGB6.sys [2007-10-26 47616]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]

=============== Created Last 30 ================

2010-07-03 07:32:21 93056 ----a-w- C:\ugliipow.sys
2010-07-03 07:29:32 250051986 ----a-w- c:\windows\MEMORY.DMP
2010-07-02 21:43:31 0 d-----w- c:\program files\Microsoft Security Essentials
2010-07-02 19:05:19 478 ----a-w- c:\windows\system32\.crusader
2010-07-02 18:57:15 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-02 18:57:03 0 d-----w- c:\programdata\Hitman Pro
2010-07-02 18:56:52 0 d-----w- c:\program files\Hitman Pro 3.5
2010-07-02 18:23:03 0 d-----w- c:\programdata\Sun
2010-07-02 18:22:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-26 08:12:06 62744 ----a-w- c:\windows\system32\xinput1_2.dll
2010-06-26 08:12:06 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
2010-06-26 08:11:23 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-06-26 08:10:34 118520 ----a-w- c:\windows\system32\PxInsI64.exe
2010-06-26 08:10:34 115960 ----a-w- c:\windows\system32\PxCpyI64.exe

==================== Find3M ====================

2010-06-08 02:16:01 763832 ----a-w- c:\windows\BDTSupport.dll
2010-06-08 00:21:02 1652664 ----a-w- c:\windows\PCTBDCore.dll
2010-06-04 20:20:54 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-01 17:37:48 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-29 17:03:08 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-03-29 17:03:08 86016 ----a-w- c:\windows\inf\infstor.dat
2010-03-29 17:03:08 51200 ----a-w- c:\windows\inf\infpub.dat
2008-12-31 11:14:56 174 --sha-w- c:\program files\desktop.ini
2008-10-19 15:20:29 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-03-14 10:31:49 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2010-03-14 10:31:49 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2010-03-14 10:31:49 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-09-10 06:27:38 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 9:14:06.20 ===============

Broni · Jul 3, 2010

You can't run two AV programs at the same time.
AVG, or MSE must go before we proceed further.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

endofdays · Jul 3, 2010

I uninstalled MSE before running ComboFix. Here's the ComboFix report:

ComboFix 10-07-01.02 - Bethan 03/07/2010 18:14:32.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1789.890 [GMT 1:00]
Running from: c:\users\Bethan\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spyware Doctor *disabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))
.

2010-07-03 17:24 . 2010-07-03 17:29 -------- d-----w- c:\users\Bethan\AppData\Local\temp
2010-07-03 17:24 . 2010-07-03 17:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-03 07:32 . 2010-07-03 07:32 93056 ----a-w- C:\ugliipow.sys
2010-07-03 06:51 . 2010-04-10 21:16 38784 ----a-w- c:\users\Bethan\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-02 18:57 . 2010-07-03 08:50 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-02 18:57 . 2010-07-02 19:05 -------- d-----w- c:\programdata\Hitman Pro
2010-07-02 18:56 . 2010-07-02 18:56 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-07-02 18:22 . 2010-07-02 18:22 -------- d-----w- c:\program files\Common Files\Java
2010-07-02 18:22 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-26 08:12 . 2006-07-28 08:30 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
2010-06-26 08:12 . 2006-07-28 08:30 62744 ----a-w- c:\windows\system32\xinput1_2.dll
2010-06-26 08:11 . 2005-05-26 14:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-06-26 08:10 . 2006-11-02 15:57 118520 ----a-w- c:\windows\system32\PxInsI64.exe
2010-06-26 08:10 . 2006-10-18 18:43 115960 ----a-w- c:\windows\system32\PxCpyI64.exe
2010-06-26 07:14 . 2010-06-26 07:14 -------- d-----w- c:\users\Bethan\AppData\Roaming\Sony Corporation
2010-06-26 06:57 . 2010-06-26 06:57 -------- d-----w- c:\users\Bethan\AppData\Roaming\InstallShield
2010-06-20 20:40 . 2010-07-02 18:28 120 ----a-w- c:\users\Bethan\AppData\Local\Bludunifu.dat
2010-06-20 20:40 . 2010-07-02 07:35 0 ----a-w- c:\users\Bethan\AppData\Local\Ysefuliviha.bin
2010-06-20 20:40 . 2010-06-20 20:40 -------- d-----w- c:\users\Bethan\AppData\Local\{D19A7CDE-370F-4CCA-8145-412C98A03C1E}
2010-06-04 20:22 . 2010-06-04 20:22 29512 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
2010-06-04 20:22 . 2010-06-04 20:22 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 17:29 . 2008-12-31 10:36 -------- d-----w- c:\program files\Spyware Doctor
2010-07-03 09:28 . 2010-03-30 16:42 0 ----a-w- c:\users\Bethan\AppData\Local\prvlcl.dat
2010-07-03 06:54 . 2010-01-14 15:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-03 06:38 . 2008-02-20 22:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-02 18:22 . 2008-05-18 11:38 -------- d-----w- c:\program files\Java
2010-06-27 21:13 . 2008-05-18 14:12 -------- d-----w- c:\users\Bethan\AppData\Roaming\vlc
2010-06-26 08:13 . 2008-02-21 07:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-26 06:39 . 2009-11-12 18:03 -------- d-----w- c:\programdata\avg9
2010-06-08 02:16 . 2010-01-04 08:59 763832 ----a-w- c:\windows\BDTSupport.dll
2010-06-08 00:21 . 2010-01-04 08:59 1652664 ----a-w- c:\windows\PCTBDCore.dll
2010-06-04 20:20 . 2009-03-04 20:28 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-04 20:20 . 2008-02-23 14:28 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-01 17:37 . 2009-11-12 17:32 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 14:39 . 2010-01-14 15:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2010-01-14 15:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 20:47 . 2010-04-24 20:47 50354 ----a-w- c:\users\Bethan\AppData\Roaming\Facebook\uninstall.exe
2010-04-08 13:29 . 2009-05-10 20:10 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2007-09-10 06:27 . 2007-09-10 04:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-09-10 1006264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-10 869936]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 4702208]
"TouchPadHotKey"="c:\program files\FSC\TouchPad HotKey Utility\TouchPad_HotKey.exe" [2007-08-13 364544]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-08 236016]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-28 1287120]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-04 2065248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\users\Bethan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - d:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-4-10 95232]
Picture Motion Browser Media Check Tool.lnk - d:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2010-6-26 368640]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-2-23 113664]
WinZip Quick Pick.lnk - d:\program files\WZQKPICK.EXE [2009-10-13 495432]
WirelessSelector.lnk - c:\program files\FSC\Wireless Utility\WirelessSelector.exe [2008-2-21 650752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-27 216200]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-06-04 242896]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-27 308064]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-22 112592]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
S3 SiS6350;SiS6350;c:\windows\system32\DRIVERS\SISGRKMD.sys [2007-08-14 456568]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSGB6.sys [2007-07-04 47616]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Bethan\AppData\Roaming\Mozilla\Firefox\Profiles\tltbydfq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\users\Bethan\AppData\Roaming\Mozilla\Firefox\Profiles\tltbydfq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\Bethan\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - .

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-03 18:30
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3780)
c:\windows\System32\npmproxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Spyware Doctor\pctsSvc.exe
.
**************************************************************************
.
Completion time: 2010-07-03 18:34:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-03 17:34

Pre-Run: 2,244,231,168 bytes free
Post-Run: 1,827,729,408 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=64 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64
- - End Of File - - B69FE513BD34A29C2C3DFEC1FFF081C2

I did have to restart my computer after the ComboFix reboot because everytime I tried to open a programme (like Mozilla) it came up with an error message. I can't remember all it said, but it was something to do with the registry file being marked for deletion or something similar. Not sure if that means anything though.

Broni · Jul 3, 2010

Not sure if that means anything though.

Yes, that's a common message ("file being marked for deletion"), if the computer is not restarted.

How is redirection?

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
C:\ugliipow.sys
c:\users\Bethan\AppData\Local\Ysefuliviha.bin
c:\users\Bethan\AppData\Local\prvlcl.dat

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

endofdays · Jul 3, 2010

Ah that's cool. It was fine after my manual restart so that must have been the problem.

Redirection hasn't been a problem since I switched on the machine this morning, but Spyware Doctor has picked up another 25 Trojans in the system, which is a bit worrying even though it says it's deleted them.

I'll drag that text file into ComboFix now and post the results.

Broni · Jul 3, 2010

OK.........

endofdays · Jul 3, 2010

Okey doke, log results are:

ComboFix 10-07-01.02 - Bethan 03/07/2010 19:11:29.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1789.835 [GMT 1:00]
Running from: c:\users\Bethan\Desktop\ComboFix.exe
Command switches used :: c:\users\Bethan\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spyware Doctor *disabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"C:\ugliipow.sys"
"c:\users\Bethan\AppData\Local\prvlcl.dat"
"c:\users\Bethan\AppData\Local\Ysefuliviha.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ugliipow.sys
c:\users\Bethan\AppData\Local\prvlcl.dat
c:\users\Bethan\AppData\Local\Ysefuliviha.bin

.
((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))
.

2010-07-03 18:19 . 2010-07-03 18:19 -------- d-----w- c:\users\Bethan\AppData\Local\temp
2010-07-03 18:19 . 2010-07-03 18:19 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-03 18:19 . 2010-07-03 18:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-03 18:09 . 2010-07-03 18:10 -------- d-----w- C:\32788R22FWJFW
2010-07-03 06:51 . 2010-04-10 21:16 38784 ----a-w- c:\users\Bethan\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-02 18:57 . 2010-07-03 08:50 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-02 18:57 . 2010-07-02 19:05 -------- d-----w- c:\programdata\Hitman Pro
2010-07-02 18:56 . 2010-07-02 18:56 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-07-02 18:22 . 2010-07-02 18:22 -------- d-----w- c:\program files\Common Files\Java
2010-07-02 18:22 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-26 08:12 . 2006-07-28 08:30 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
2010-06-26 08:12 . 2006-07-28 08:30 62744 ----a-w- c:\windows\system32\xinput1_2.dll
2010-06-26 08:11 . 2005-05-26 14:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-06-26 08:10 . 2006-11-02 15:57 118520 ----a-w- c:\windows\system32\PxInsI64.exe
2010-06-26 08:10 . 2006-10-18 18:43 115960 ----a-w- c:\windows\system32\PxCpyI64.exe
2010-06-26 07:14 . 2010-06-26 07:14 -------- d-----w- c:\users\Bethan\AppData\Roaming\Sony Corporation
2010-06-26 06:57 . 2010-06-26 06:57 -------- d-----w- c:\users\Bethan\AppData\Roaming\InstallShield
2010-06-20 20:40 . 2010-07-02 18:28 120 ----a-w- c:\users\Bethan\AppData\Local\Bludunifu.dat
2010-06-20 20:40 . 2010-06-20 20:40 -------- d-----w- c:\users\Bethan\AppData\Local\{D19A7CDE-370F-4CCA-8145-412C98A03C1E}
2010-06-04 20:22 . 2010-06-04 20:22 29512 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
2010-06-04 20:22 . 2010-06-04 20:22 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 18:03 . 2008-12-31 10:36 -------- d-----w- c:\program files\Spyware Doctor
2010-07-03 06:54 . 2010-01-14 15:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-03 06:38 . 2008-02-20 22:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-02 18:22 . 2008-05-18 11:38 -------- d-----w- c:\program files\Java
2010-06-27 21:13 . 2008-05-18 14:12 -------- d-----w- c:\users\Bethan\AppData\Roaming\vlc
2010-06-26 08:13 . 2008-02-21 07:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-26 06:39 . 2009-11-12 18:03 -------- d-----w- c:\programdata\avg9
2010-06-08 02:16 . 2010-01-04 08:59 763832 ----a-w- c:\windows\BDTSupport.dll
2010-06-08 00:21 . 2010-01-04 08:59 1652664 ----a-w- c:\windows\PCTBDCore.dll
2010-06-04 20:20 . 2009-03-04 20:28 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-04 20:20 . 2008-02-23 14:28 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-01 17:37 . 2009-11-12 17:32 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-29 14:39 . 2010-01-14 15:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2010-01-14 15:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 20:47 . 2010-04-24 20:47 50354 ----a-w- c:\users\Bethan\AppData\Roaming\Facebook\uninstall.exe
2010-04-08 13:29 . 2009-05-10 20:10 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2007-09-10 06:27 . 2007-09-10 04:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-09-10 1006264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-10 869936]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 4702208]
"TouchPadHotKey"="c:\program files\FSC\TouchPad HotKey Utility\TouchPad_HotKey.exe" [2007-08-13 364544]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-08 236016]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-28 1287120]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-04 2065248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\users\Bethan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - d:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-4-10 95232]
Picture Motion Browser Media Check Tool.lnk - d:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2010-6-26 368640]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-2-23 113664]
WinZip Quick Pick.lnk - d:\program files\WZQKPICK.EXE [2009-10-13 495432]
WirelessSelector.lnk - c:\program files\FSC\Wireless Utility\WirelessSelector.exe [2008-2-21 650752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-27 216200]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-06-04 242896]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-27 308064]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-22 112592]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
S3 SiS6350;SiS6350;c:\windows\system32\DRIVERS\SISGRKMD.sys [2007-08-14 456568]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSGB6.sys [2007-07-04 47616]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Bethan\AppData\Roaming\Mozilla\Firefox\Profiles\tltbydfq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\users\Bethan\AppData\Roaming\Mozilla\Firefox\Profiles\tltbydfq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\Bethan\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - .

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-03 19:19
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-07-03 19:23:33
ComboFix-quarantined-files.txt 2010-07-03 18:23
ComboFix2.txt 2010-07-03 17:34

Pre-Run: 1,760,825,344 bytes free
Post-Run: 1,590,317,056 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=64 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64
- - End Of File - - 48E99E32A3000EEB908E807ACDAC51E2

Thanks so much for all your help!

Broni · Jul 3, 2010

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

endofdays · Jul 4, 2010

Sorry for the late reply - sleep called! I've had to attach both files as they were too long to fit in the text box.

Broni · Jul 4, 2010

You're running really low on C drive free space:

Drive C: | 30.00 Gb Total Space | 1.72 Gb Free Space | 5.75% Space Free

=====================================================================

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
@Alternate Data Stream - 174 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[resethosts]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.

endofdays · Jul 4, 2010

I know. I thought it'd be plenty when I partitioned the hard drive but that was about 4 years ago now. I want to move some of the free space on the D drive to the C drive but I need to defrag both drives and then move some stuff over, but I need to find some instructions to follow carefully before I do that.

I've got a file called desktop.ini on the desktop following the last Combofix scan before it was uninstalled. Can I delete those? Here's the OTL log:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
ADS C:\ProgramData\TEMP

FC5A2B2 deleted successfully.
ADS C:\ProgramData\TEMP:A8ADE5D8 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Bethan
->Temp folder emptied: 10515 bytes
->Temporary Internet Files folder emptied: 927455835 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 84806263 bytes
->Flash cache emptied: 42345 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 72932 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 965.00 mb

[EMPTYFLASH]

User: All Users

User: Bethan
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.7.0 log created on 07042010_173456

Files\Folders moved on Reboot...
C:\Users\Bethan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF0003.tmp moved successfully.

Registry entries deleted on Reboot...

Broni · Jul 4, 2010

Good

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
[*] Archives
[*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

endofdays · Jul 4, 2010

Takes a while to scan doesn't it?! Here are the results, I'm guessing they're good:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, July 4, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, July 04, 2010 15:01:03
Records in database: 4247770
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\

Scan statistics:
Objects scanned: 110847
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 02:26:56

No threats found. Scanned area is clean.

Selected area has been scanned.

Broni · Jul 4, 2010

Nice

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

endofdays · Jul 4, 2010

Thank you! I'm heading to bed as it's 11pm here, but I'll follow these steps tomorrow. Thanks so much for your help with this - I really, really appreciate it.

Broni · Jul 4, 2010

You're very welcome

Broni · Jul 10, 2010

Any word about your computer?

endofdays · Jul 10, 2010

Sorry, I haven't been online for a few days. It all seems to be working fine now - no problems with Google and everything's coming up clean when the virus/spyware checks are done. Thanks again.

Broni · Jul 10, 2010

You're very welcome

Good luck

Solved And another Google redirect problem

Posts: 10 +0

Attachments

Posts: 56,041 +516

Posts: 10 +0

Attachments

Posts: 56,041 +516

Posts: 10 +0

Attachments

Posts: 56,041 +516

Posts: 10 +0

Posts: 56,041 +516

Posts: 10 +0

Attachments

Posts: 56,041 +516

Posts: 10 +0

Attachments

Posts: 56,041 +516

Posts: 10 +0

Attachments

Posts: 56,041 +516

Posts: 10 +0

Attachments

Posts: 56,041 +516

Posts: 10 +0

Posts: 56,041 +516

Posts: 56,041 +516

Posts: 10 +0

Posts: 56,041 +516

Similar threads