Solved Search results redirected and IE pop-ups

[Tarmod]

Recently, Avira 10.0 is detecting Malware in scan and guard mode. My search engine links (Yahoo and Google) are redirected to some other web site such as Ask Jeeves or a different shop. Occasionally, a web page will pop up offering products or services such as TheClickCheck dot com or somthing similar to which I've already been looking at.

I've completed the 8 steps and hopefully someone can help me. I've copy/pasted the Malware log below. The DDS log exceeded the 20,000 character limit of posts so is attached with the Attach log.

GMER scan kept crashing so was done in safe mode and the log is very, very long. It's too big (446kb) to attach.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4245

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/06/2010 12:51:17
mbam-log-2010-06-27 (12-51-17).txt

Scan type: Quick scan
Objects scanned: 128549
Time elapsed: 15 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore

r\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) ->

Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore

r\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) ->

Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore

r\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) ->

Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore

r\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) ->

Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore

r\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) ->

Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore

r\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) ->

Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore

r\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) ->

Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore

r\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) ->

Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image

File Execution Options\RapportMgmtService.exe (Security.Hijack) ->

Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image

File Execution Options\RapportService.exe (Security.Hijack) ->

Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and

deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\none

p (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad:

(C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,)

Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted

successfully.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and

deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and

deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start

Menu\Programs\Startup\ntuser_mssec.exe (Trojan.VirTool) ->

Quarantined and deleted successfully.

 

[Bobbye]

After you open Notebook for these logs, please go up to Format and either check or uncheck the Word Wrap> the opposite of how you find it. I never remember which is which!

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..


Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

=========================================
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[Tarmod]

Eset and ComboFix Scan Attached

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=cd99e3276d66e74eadc82bb4d974a5dc
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-04 10:50:01
# local_time=2010-07-04 11:50:01 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 16775141 100 93 860021 37366760 167649 0
# compatibility_mode=8192 67108863 100 0 329 329 0 0
# scanned=158717
# found=1
# cleaned=0
# scan_time=6555
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\isapnp.sys.vir Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I

 

[Bobbye]

Custom Script

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
Folder::
c:\documents and settings\Norman\Application Data\Isiwc;c
:\documents and settings\Norman\Application DataHiizz
c:\documents and settings\Norman\Application DataBeotidd
c:\documents and settings\Norman\Application DataAkwyokk
c:\documents and settingsNetworkServicee\Application Datadhxiuwwdatt

DDS::
uURLSearchHookssBigMAQAQ Toolbar: {7f312b9a-208b-49fa-8218-aaaaecec1463} - c:\program filebigmaqatbBigMgdllll
BHOBigMAQAQ Toolbar: {7f312b9a-208b-49fa-8218-aaaaecec1463} - c:\program filebigmaqatbBigMgdllll
TBBigMAQAQ Toolbar: {7f312b9a-208b-49fa-8218-aaaaecec1463} - c:\program filebigmaqatbBigMgdllll
BHO: {00b8e20c-5c71-4c2f-85a5-6ad5415dfdf0} - No File
BHO: {02478D38-C3F9efbfb-9B51-7695ECA05670} - No File
BHO: {a1b2f3fa-dd1d-470b-a23e-a133b2efef60} - No FiluRun
un: [{515B8664-7E37-DEB6-874F-3BECBFA95E52}] "c:\documents and settinnormanman\application daisiwcirefeeexeexuRun
Run: [{F81BDBA6-FAC2-5DD6-16BA-09A42E50E932}] "c:\documents and settinormanrman\application dbeotid\enpiunexe.exe"

Registry
Driver::

Save thisCFScriptrtxt.txt, in the same location as ComboFix.exe

Referring to the picture above, dCFScriptript iComboFixoexe.exe

When finished, it will produce a log for you atComboFixotxt.txt . Please attach to your next reply.
=================================================
Questions and 'to do':
1. Please uninstall all versions of Java except v6u20. You have 7 older versions installed which are vulnerabilities for the system.
2. Check the Spybot Search & Destroy program> there are 4 separate entries> all should be parts of the original program install:
On 6/5/2010:
c:\program files\TeaTimer (Spybot - Search & Destroy)
c:\program fiSDHelperlper (Spybot - Search & Destroy)
c:\program files\Misc. Support Library (Spybot - Search & Destroy)
c:\program files\File Scanner Library (Spybot - Search & Destroy)
And on 4/11/2006:
c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
c:\program files\Spybot - Search & Destroy
3. You have drivers running for>> Dell CompuBluetoothooth PC Card, Driver, NAT Protocol and Ethernet Protocol. TwonkyMediaedia Server Mobile (Nokieokie)is also running. You are also running BlueSoleilleil iBluetoothooth software/driver. Do you still use all of these?
4. These files from 817/2001 are running. Do you still use them? I coudn't ID all of them:
c:\windows\systedllcacheaserscanssys.sys>>> Serial Imaging Device Driver
2010-06-27 15:27 . 2001-08-17 12:53 6784 ----a-w- c:\windows\system32\drivserscanssys.sys
2010-06-27 15:27 . 2001-08-17 21:36 92160 -c--a-w- c:\windows\systedllcacheafuusdudll.dll>> (Still Image Devices DLL)
2010-06-27 15:27 . 2001-08-17 21:36 92160 ----a-w- c:\windows\systefuusdudll.dll
2010-06-27 15:27 . 2001-08-17 21:36 71680 -c--a-w- c:\windows\systedllcacheafnfilterldll.dll
2010-06-27 15:27 . 2001-08-17 21:36 71680 ----a-w- c:\windows\system32\fnfilter.dll

 

[Tarmod]

Custom Script completed

Combo log attached.

Questions & ToDo
1. Old Java updates removed.
2. Search & Destroy removed.
3. The only driver used is Bluesoleil. I removed Twonkymedia program but haven't dealt with the other drivers yet.
4.. Don't recognise ant of these files so not sure if they're used.

Search engine links are working now, No unwanted pop-ups.

 

[Bobbye]

Removing coding due to parsing. Will re-post what problem is fixed. Notifying moderator of site problem. Previous attempt for code also parsed.

 

[Bobbye]

Well I found the problem! It's the darn Google Spell check that's causing the parsing. So this is fresh- no spell check. I sure hope it comes through okay! Go ahead and run it- I'll check in the morning to see how it went through the system.

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\documents and settings\Norman\Application Data\Isiwc
c:\documents and settings\Norman\Application Data\Hiiz
c:\documents and settings\NetworkService\Application Data\dhxiuw.dat
c:\program files\nokia\nokia home media server\media server\twonkymedia.exe

Folder::
c:\documents and settings\Norman\Application Data\Beotid
c:\documents and settings\Norman\Application Data\Akwyok

DDS::
uURLSearchHooks: BigMAQ Toolbar: {7f312b9a-208b-49fa-8218-b9aa22ec1463} - c:\program files\bigmaq\tbBigM.dll
BHO: BigMAQ Toolbar: {7f312b9a-208b-49fa-8218-b9aa22ec1463} - c:\program files\bigmaq\tbBigM.dll
uRun: [{515B8664-7E37-DEB6-874F-3BECBFA95E52}] "c:\documents and settings\norman\application data\isiwc\refe.exe"
uRun: [{F81BDBA6-FAC2-5DD6-16BA-09A42E50E932}] "c:\documents and settings\norman\application data\beotid\enpiu.exe"

Registry::

Driver::

FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
====================
I have a few more to add if there's no problem.

 

[Tarmod]

Combo Log attached

Log attached as requested.

 

[Bobbye]

Do you have any idea what these folders are for?
2006-11-22 22:27 c:\documents and settings\Norman\Application Data\Isiwc
2009-03-05 09:41 c:\documents and settings\Norman\Application Data\Hiiz

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::

FileLook::
c:\documents and settings\Norman\Application Data\Isiwc
c:\documents and settings\Norman\Application Data\Hiiz

Folder::
c:\program files\Symantec
c:\program files\Common Files\Symantec Shared
Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please paste both of these logs into the next reply..
No spell check on this- it messed up the coding again- strange.

 

[Tarmod]

Hijacked

I don't know what these 2 folders are for.

Attached is Combofix log and pasted below is the HijackThis log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 01:05:44, on 14/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\Program Files\Common Files\Iconix\IconixService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Common Files\Nokia\NoA\nokiaaserver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: IconixBHOClass Class - {761233B6-F228-49E4-8F6B-668499D4E55A} - C:\Program Files\Iconix\IEAddOn\IconixBHO_38.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {a1b2f3fa-dd1d-470b-a23e-a133b2f8ef60} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [MioNet] C:\Program Files\MioNet\MioNetLauncher.exe /p
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_38.dll (file missing)
O9 - Extra 'Tools' menuitem: Email ID Preferences - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_38.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_38.dll (file missing)
O9 - Extra 'Tools' menuitem: About Email ID - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_38.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk/
O15 - Trusted Zone: http://www.soundsbox.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} (FBootloaderAX) - http://www.facebook.com/fbplugin/win32/axfbootloader.cab?1265544670296
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,72/mcinsctl.cab
O16 - DPF: {4FEE6316-7B6F-4A6C-BD4E-4157C59A9E9D} (Ovi maps browser plugin) - http://static.s2g.gate5.de/ovi_maps/OviMaps_2.3.37.6.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1277590293093
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: BlueSoleilCS - IVT Corporation - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BsHelpCS - IVT Corporation - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - IVT Corporation - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: Google Update Service (gupdate1c9bb7a2cb910e0) (gupdate1c9bb7a2cb910e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iconix Update Service (IconixService) - Unknown owner - C:\Program Files\Common Files\Iconix\IconixService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MioNet - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe

--
End of file - 11573 bytes

 

[Bobbye]

Please tell me if any of the original malware problems are still present:
Redirecting sites
Pop-ups with ads
Alert from Avira

There are 3 suspicious files in Combofix that point to a possible Rootkit. I need you to check it out since I did not see the GMER log:

Please download MBR Rootkit Detector and save it on your desktop.

• Pause/Stop all antivirus/spyware active protection.
• Then double click on mbr.exe to run it.
• Select Run when you receive a Security Warning
• The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
• A log file will the be created on your desktop where you ran mbr.exe
• Copy and paste the contents of mbr.log on your next reply.

============================
The 2 folders I've asked about will not return any information or allowed themselves to be moved:
c:\documents and settings\Norman\Application Data\Isiwc
c:\documents and settings\Norman\Application Data\Hiiz

I would like you to do the following:
Show Hidden Folders/Files

• Click on Search> Choose 'All files and folders'
• Go to Tools > Folder Options.
• Select the View tab.
• Scroll down to Hidden files and folders.
• Select Show hidden files and folders.
• Uncheck (untick) Hide extensions of known file types.
• Uncheck (untick) Hide protected operating system files (Recommended).
• Click Yes when prompted.
• Click OK.
• Type each of the following into the search box, one at a time and search for each:
  Isiwc
  Hiiz
• Do a right click> Properties on each. See if you can find any information on either.
• If you cannot identify either, please do a right click> Delete on each.

Close Search and Reset Hidden/System Files & Folders

 

[Tarmod]

Mbr log is:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

I couldn't find either Isiwc or Hiiz files despite changing the folder options to show hidden files.

 

[Bobbye]

It appears we were both out for a while, so you need to catch me up:

Please tell me if any of the original malware problems are still present:
Redirecting sites
Pop-ups with ads
Alert from Avira

I couldn't find either Isiwc or Hiiz files despite changing the folder options to show hidden files.

That's fine- they were removed in the Combofix script.
(Be sure you go back and rehide the files and folders)

I can't do anything else until I know the current problems. Month old logs are now outdated.

 

[Tarmod]

Malware problems are gone. Search engine links work, no pop ups or Avira alerts.

 

[Bobbye]

So why the log?
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Since the problems have been resolved, I'm going to close the thread.