[In Progress] Google redirect problem. 5 steps followed, logs pasted here

[Helmeticus]

Thank you for any help you may share!

Logs:


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8033
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18943
10/28/2011 1:44:34 AM
mbam-log-2011-10-28 (01-44-34).txt
Scan type: Quick scan
Objects scanned: 178608
Time elapsed: 9 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 25
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0196479A-C9AE-475A-8784-8FCF28331106} (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0196479A-C9AE-475A-8784-8FCF28331106} (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0196479A-C9AE-475A-8784-8FCF28331106} (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0196479A-C9AE-475A-8784-8FCF28331106} (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\-1472955481 (Trojan.Agent.Gen) -> Value: -1472955481 -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500 (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\download (Backdoor.Bot) -> Quarantined and deleted successfully.
Files Infected:
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\a_friend.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Users\Ryan\AppData\Local\Temp\jar_cache5957979960257972422.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Ryan\AppData\Local\Temp\0.1807455868082134.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Users\Ryan\AppData\Local\Temp\0.1822530675191193.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Users\Ryan\AppData\Local\Temp\0.3707323280140855.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Users\Ryan\local settings\application data\tcpipadmin.dll (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
c:\Users\Ryan\AppData\Local\tcpipadmin.dll (Trojan.SHarpro.Gen) -> Quarantined and deleted successfully.
c:\Users\Ryan\AppData\Local\Temp\nsg8344.tmp\update.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\aliases.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\control.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\fullname.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\hallmark.gif (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\ident.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\identd.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\instsrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\mirc.ico (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\mirc.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\nicks.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\notify.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\popups.txt (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\remote.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\servers.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500\users.ini (Backdoor.Bot) -> Quarantined and deleted successfully.




GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-10-28 02:06:25
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.01.0
Running: 1fux75y5.exe; Driver: C:\Users\Ryan\AppData\Local\Temp\pxldrpog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_23
Run by Ryan at 2:07:49 on 2011-10-28
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3573.2098 [GMT -7:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\lxeecoms.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\PharosSystems\Core\CTskMstr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark Pro700 Series\lxeemon.exe
C:\Program Files\Lexmark Pro700 Series\ezprint.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Ryan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ryan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ryan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ryan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\Ryan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ryan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2080901
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:53902
mSearchAssistant = hxxp://start.facemoods.com/?a=wbst&s={searchTerms}&f=4
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\ryan\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Leadertech Update] rundll32 ",DllRegisterServer
uRun: [Classes Update] rundll32 ",DllRegisterServer
uRun: [Canon Update] rundll32 ",DllRegisterServer
uRun: [GoogleTrayTray] rundll32.exe ",DllRegisterServer
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [lxeemon.exe] "c:\program files\lexmark pro700 series\lxeemon.exe"
mRun: [EzPrint] "c:\program files\lexmark pro700 series\ezprint.exe"
mRun: [Lexmark Pro700 Series Fax Server] "c:\program files\lexmark pro700 series\fm3032.exe" /s
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\ryan\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: csus.edu\online
Trusted Zone: intuit.com\ttlc
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 152.79.115.115 152.79.105.105
TCP: Interfaces\{A2E726EA-6ADB-4993-8943-909C48D701A9} : DhcpNameServer = 152.79.115.115 152.79.105.105
TCP: Interfaces\{F5EDA4B1-EA37-4EBA-A1BF-B549D2CF39BB} : DhcpNameServer = 192.168.0.1 68.94.156.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ryan\appdata\roaming\mozilla\firefox\profiles\faeca8v1.default\
FF - prefs.js: browser.search.selectedengine - Search
FF - prefs.js: browser.startup.homepage - hxxp://start.facemoods.com/?a=wbst
FF - prefs.js: keyword.URL - hxxp://start.facemoods.com/?a=wbst&s={searchTerms}&f=4&hl={language}&src=chrm
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 53902
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\users\ryan\appdata\local\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\users\ryan\appdata\roaming\move networks\plugins\npqmp071503000010.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-27 36000]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-7-25 73728]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-27 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-27 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-27 74640]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-4-28 161048]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 lxee_device;lxee_device;c:\windows\system32\lxeecoms.exe -service --> c:\windows\system32\lxeecoms.exe -service [?]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-7-25 111616]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-13 136176]
S2 lxeeCATSCustConnectService;lxeeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeeserv.exe [2010-1-10 98984]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-13 136176]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2008-1-20 19968]
.
=============== Created Last 30 ================
.
2011-10-28 08:51:30 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2190ab69-52ef-4402-92c0-6cac921f0389}\offreg.dll
2011-10-28 08:31:49 -------- d-----w- c:\users\ryan\appdata\roaming\Malwarebytes
2011-10-28 08:31:15 -------- d-----w- c:\programdata\Malwarebytes
2011-10-28 08:31:11 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-28 08:31:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-27 16:22:27 -------- d-----w- c:\users\ryan\appdata\roaming\Avira
2011-10-27 16:16:28 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-27 16:16:28 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-10-27 16:16:28 -------- d-----w- c:\programdata\Avira
2011-10-27 16:16:28 -------- d-----w- c:\program files\Avira
2011-10-25 23:42:42 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2190ab69-52ef-4402-92c0-6cac921f0389}\mpengine.dll
.
==================== Find3M ====================
.
.
============= FINISH: 2:08:27.99 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 7/25/2009 3:18:50 PM
System Uptime: 10/28/2011 1:51:07 AM (1 hours ago)
.
Motherboard: Dell Inc. | | 0U990C
Processor: Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz | Microprocessor | 2000/166mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 220 GiB total, 39.659 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 5.309 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
.
Update for Microsoft Office 2007 (KB2508958)
32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.3.0
Adobe Shockwave Player 11.5
Amazon MP3 Downloader 1.0.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira Free Antivirus
Bonjour
Canon Easy-WebPrint EX
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 3.1
Canon MX870 series MP Drivers
Canon MX870 series User Registration
Canon Speed Dial Utility
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Cisco Systems VPN Client 5.0.00.0340
Citrix Presentation Server Client
Conexant HDA D330 MDC V.92 Modem
Dell-eBay
Dell DataSafe Online
Dell Dock
Dell Driver Download Manager
Dell Getting Started Guide
Dell Photo Printer 720
Dell Support Center (Support Software)
Dell Touchpad
Digital Line Detect
doPDF 6.2 printer
eReg
Google Chrome
Google Desktop
Google Earth
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel(R) PROSet/Wireless Software
iPhone Configuration Utility
iTunes
Java Auto Updater
Java(TM) 6 Update 23
Java(TM) 6 Update 5
Lexmark Printable Web
Lexmark Pro700 Series
Lexmark Tools for Office
Logitech SetPoint 6.15
Malwarebytes' Anti-Malware version 1.51.2.1300
mCore
MediaDirect
mHelp
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
mMHouse
Modem Diagnostic Tool
Mozilla Firefox (3.0.13)
mPfMgr
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWMI
OutlookAddinSetup
Pharos
Plants vs. Zombies
Quicken 2009
QuickSet
QuickTime
RealPlayer
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Safari
Seagate Manager Installer
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553074)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Excel 2007 (KB2553073)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype Toolbars
Skype™ 5.0
TurboTax 2009
TurboTax 2009 wcaiper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
TurboTax 2010
TurboTax 2010 wcaiper
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wrapper
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office OneNote 2007 (KB980729)
VoiceOver Kit
WIDCOMM Bluetooth Software 6.0.1.3100
Windows Live OneCare safety scanner
Yahoo! Software Update
Yahoo! Toolbar
.
==== End Of File ===========================

 

[Bobbye]

Welcome to TechSpot!

I'd like to give you some information first- the choice is yours: You main infection has been due to Backdoor.bots. While some entries have been removed in Mbam, please read the following:
------------------------------------
What is a Backdoor.bot?

This is a piece of malware that has worm, downloader, backdoor, keylogger and spy ability. It may arrive on a system after being exploited by a copy of the worm, residing on an infected machine in the network. After execution, the malware will inject a piece of code in kernel mode (by gaining access to \Device\PhysicalMemory). It will make a copy of itself inside c:\windows\fonts\unwise_.exe (hidden), execute it and continue execution there. The original file it will then be deleted. The worm will register itself as a service under the name: Windows Hosts Controller, and setting the information to "Enables Windows Host Controller Service. This service cannot be stopped." discouraging users from deleting it.
- The worm has the ability to spread via:
o USB drives; when it detects a new drive, it will make a fresh copy of itself, on the USB drive in the following directory:
Recycler\S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx\file-name.exe. It will also create an autorun.inf file that will point to the new copy.

And yes- it makes Registry changes to the firewall, the Security Center. It can do or cause:

1. Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
2. Data theft (e.g. retrieving passwords or credit card information)
3. Installation of software, including third-party malware
4. Downloading or uploading of files on the user's computer
5. Modification or deletion of files
6. Keystroke logging
7. Watching the user's screen
8. Wasting the computer's storage space
9. Crashing the computer

Being advised of this, would you rather consider a reformat/reinstall instead of an attempt to clean which may not find or remove all if it's code?
======================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

 

[Helmeticus]

Reformatting / reinstalling

Thanks for your response, Bobbye! I have decided to reformat and reinstall as I do indeed bank online. Only two questions remain:

1. USB flash drive/ backing up data: I use a USB flash drive for some critical files. How can I be sure I won't re-corrupt my computer with this if I continue to use it after I reformat/reinstall? Also, I have a backup hard drive that I use for files only, no applications. Do I need to reformat this as well?

2. Easy instructions for reformatting/reinstalling: I am unable to locate any system disk that might have come with the computer. I'm pretty novice with system details. Can you point me to some good instructions to efficiently reformat/reboot my machine?

Thanks again for your generous help with this very frustrating problem!

 

[Bobbye]

You can disinfect the flash drive and any other removable drives:

Please disinfect all movable drives

1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
   Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
4. Wait until it has finished scanning and then exit the program.
5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================
Regarding this:
c:\RECYCLER\s-1-5-21-606747145-1085031214-725345543-500.......

The Recycler is a hidden, protected system file. It is the folder where processes that are deleted are kept. They are eventually overwritten unless you use one of the overwriting programs. I'd like to try and remove these entries.

This has 2 conditions:
1. the Recycle bin itself has to be empty.
2. Hidden files and folders have to show:
Show Hidden Files and Folders in Windows Vista and Windows 7:

• Click on the Start button and select Computer
• Press the Alt key on your keyboard and click on Tools
• Select Folder Options
• Click the View tab and make sure that Show hidden files and folders is selected under Hidden files and folders
• Next, uncheck the box next to Hide protected operating system files (Recommended)
• Then, uncheck the box next to Hide extensions for known file types
• Click Apply then click OK

Please be sure to rehide the files and folders when you have finished.
-----------------------------------
Use Windows Explorer to navigate to the Recycler. Click to open and look for this SID on the right screen: s-1-5-21-606747145-1085031214-725345543-500 This is the account with the deleted Backdoor.bot files.

Try doing a right click> Delete on this account.
Please note, for some unknown reason, this will not always allow the delete, instead giving a message that it's "in use.".

If that happens, try the following:
1. Click Start, click Run, type cmd.exe in the Open box, and then click OK.
2. Change to the drive and folder where you deleted the files. For example if you deleted a file from the C:\Windows folder, type cd\windows at the C: prompt, and then press ENTER.
3. From that folder type cd recycler, and then press ENTER.
4. From the Recycler folder type dir, and then press ENTER. You may see some UserSID folders where SID is the security ID for each user who deleted files in that folder.
5. Type cd userSID, and then press ENTER.
6. Type del *.*, and then press ENTER. If you receive an error message that indicates some files are open, quit all the programs running on your computer.
7. Type cd.., press ENTER, and then repeat steps 5-7 for each folder in the Recycler folder.
8. Type exit, and then press ENTER.

CMD instructions courtesy Microsoft.
==========================================
You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

I think you made a wise decision. There is no way of knowing how long the bot was around. With so many entries in the Recycler, assuming the worse is the safest way to go.

 

[Helmeticus]

Reformatting / reinstalling with Windows 7

I was thinking of upgrading to windows 7 with the reformat / reinstall. Do you think that's a good idea? And if so, will my reformat / reinstall instructions differ from the link you have given me?

You've been so helpful. I appreciate it tremendously! THANK YOU!

Helmeticus

 

[Bobbye]

Before considering an upgrade, check for system requirements and do a compatibility check.

The information here will start you off:
http://windows.microsoft.com/en-US/windows7/help/upgrading-from-windows-vista-to-windows-7

You're welcome- glad to help.