BleepingComputer.com: google redirect malware

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

google redirect malware can't remove it, help please?

#1 User is offline   jvfurr 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 12-November 09

Posted 12 November 2009 - 10:19 AM

i'm having trouble with google redirecting to random websites when i click on the links. I think i've removed most of it with malwarebytes, but i'm not sure. I had also had trouble with awareantivirus2009 as well.


DDS (Ver_09-10-26.01) - NTFSx86
Run by jvfurr at 8:42:56.70 on Thu 11/12/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.196 [GMT -5:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\ASUS\ASUS WebStorage\BackupSetting.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Novell\GroupWise\GrpWise.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\HW663F.EXE
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\Documents and Settings\jvfurr\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://eeepc.asus.com/global
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [EeeStorageBackup] c:\program files\asus\asus webstorage\service\AsusWSService.exe MySyncFolder
StartupFolder: c:\docume~1\jvfurr\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\jvfurr\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\aibelive\voicec~1\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jvfurr\applic~1\mozilla\firefox\profiles\ye8j063v.default\
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.homepage.dontask, truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-10 64288]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-7 54752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2009-5-22 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2009-5-22 36368]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2009-5-7 10752]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-12-16 652552]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-4-1 39040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-5-7 1684736]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-4-9 38912]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-5-7 232872]

=============== Created Last 30 ================

2009-11-12 13:30:51 89 ----a-w- c:\windows\WPCMAPI.INI
2009-11-12 01:56:30 0 d-----w- c:\docume~1\jvfurr\applic~1\ASUS WebStorage
2009-11-11 19:39:46 0 d-----w- C:\Novell
2009-11-11 18:58:21 0 d-----w- c:\program files\Windows Installer Clean Up
2009-11-11 18:56:56 0 d-----w- c:\program files\MSECACHE
2009-11-11 18:29:57 0 d-----w- C:\GW7Setup
2009-11-11 00:47:01 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-10 23:35:59 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-10 23:35:51 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-10 23:33:48 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-10 23:33:24 0 d-----w- c:\program files\Lavasoft
2009-11-10 22:52:30 0 d-----w- c:\program files\Microsoft Visual Studio 8
2009-11-10 22:51:22 0 d-----w- c:\windows\SHELLNEW
2009-11-10 20:29:19 0 d-----w- c:\program files\uTorrent
2009-11-10 20:28:54 0 d-----w- c:\docume~1\jvfurr\applic~1\uTorrent
2009-11-10 19:50:33 0 d-----w- C:\TMQuarantine
2009-11-10 04:27:48 0 d-----w- c:\program files\CCleaner
2009-11-10 04:06:15 0 d-----w- c:\docume~1\jvfurr\applic~1\Malwarebytes
2009-11-10 04:06:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 04:05:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 04:05:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-10 04:05:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 18:52:42 0 d-----w- c:\docume~1\jvfurr\applic~1\Research In Motion
2009-10-31 18:43:40 0 d-----w- c:\program files\Roxio
2009-10-31 18:40:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Research In Motion
2009-10-31 18:39:58 0 d-----w- c:\program files\common files\Research In Motion
2009-10-31 18:14:28 256 ----a-w- c:\windows\system32\pool.bin
2009-10-31 18:06:53 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-10-31 18:05:16 0 d-----w- c:\program files\Research In Motion
2009-10-26 03:38:20 176 ----a-w- c:\windows\explorer.exe.config
2009-10-21 03:45:21 0 d-sh--w- c:\documents and settings\jvfurr\IECompatCache
2009-10-20 01:40:13 0 d-----w- c:\windows\system32\wbem\Repository
2009-10-16 19:12:13 419 ----a-w- c:\windows\BRWMARK.INI
2009-10-16 19:12:13 27 ----a-w- c:\windows\BRPP2KA.INI
2009-10-16 19:11:43 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2009-10-16 19:11:43 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2009-10-16 19:11:31 94 ----a-w- c:\windows\brpcfx.ini
2009-10-16 19:11:31 50 ----a-w- c:\windows\system32\bridf07a.dat
2009-10-16 19:11:31 226 ----a-w- c:\windows\Brpfx04a.ini
2009-10-16 19:10:09 0 d-----w- c:\program files\Brother
2009-10-16 19:08:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Brother

==================== Find3M ====================

2009-09-28 15:17:47 0 ----a-w- c:\docume~1\jvfurr\applic~1\wklnhst.dat
2009-09-28 01:02:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-27 23:04:31 32 ----a-w- c:\docume~1\alluse~1\applic~1\ezsid.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-05-08 14:07:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 8:46:02.03 ===============


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/12 08:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA1DF1000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\SoftwareDistribution\Download\b7b0631e184025ba37e5a4ec1d8637e7\update\update.url
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\eb9a3cecaccfdb2a115742a9b5d50b42\update\update.url
Status: Locked to the Windows API!

Path: C:\Documents and Settings\jvfurr\Application Data\Mozilla\Firefox\Profiles\ye8j063v.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf75d887e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf75d8bfe

==EOF==

Attached File(s)


#2 User is offline   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 38,974
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 20 November 2009 - 06:35 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image

  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#3 User is offline   jvfurr 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 12-November 09

Posted 20 November 2009 - 08:04 PM

Thanks for your help. I am still experiencing problems with google redirecting in firefox. about 60% of the time, google redirects to other sites that try to get me to install programs and keep me from leaving the page or it redirects to other search pages. I have run malwarebytes and it detected and removed a few things approximately a week and a half ago.

The computer was infected with awareantivirus2009 in addition to the google redirect.

jvfurr


DDS (Ver_09-10-26.01) - NTFSx86
Run by jvfurr at 15:38:22.18 on Fri 11/20/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.406 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\igfxext.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\jvfurr\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://eeepc.asus.com/global
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\jvfurr\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\jvfurr\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\aibelive\voicec~1\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jvfurr\applic~1\mozilla\firefox\profiles\ye8j063v.default\
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.homepage.dontask, truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-10 64288]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-7 54752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2009-5-7 10752]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-4-1 39296]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-5-7 1684736]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-4-9 49664]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-5-7 232872]

=============== Created Last 30 ================

2009-11-19 03:04:28 0 d-----w- c:\program files\AVG
2009-11-12 19:16:47 0 d-----w- c:\docume~1\jvfurr\applic~1\Windows Search
2009-11-12 18:15:29 0 d-----w- c:\docume~1\jvfurr\applic~1\Windows Desktop Search
2009-11-12 17:52:07 0 d-----w- c:\program files\Windows Desktop Search
2009-11-12 17:52:05 0 d-----w- c:\windows\system32\GroupPolicy
2009-11-12 17:33:25 0 d-----w- c:\windows\system32\URTTEMP
2009-11-12 13:30:51 89 ----a-w- c:\windows\WPCMAPI.INI
2009-11-12 01:56:30 0 d-----w- c:\docume~1\jvfurr\applic~1\ASUS WebStorage
2009-11-11 19:39:46 0 d-----w- C:\Novell
2009-11-11 18:58:21 0 d-----w- c:\program files\Windows Installer Clean Up
2009-11-11 18:56:56 0 d-----w- c:\program files\MSECACHE
2009-11-11 00:47:01 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-10 23:35:59 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-10 23:35:51 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-10 23:33:48 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-10 23:33:24 0 d-----w- c:\program files\Lavasoft
2009-11-10 22:52:30 0 d-----w- c:\program files\Microsoft Visual Studio 8
2009-11-10 22:51:22 0 d-----w- c:\windows\SHELLNEW
2009-11-10 20:29:19 0 d-----w- c:\program files\uTorrent
2009-11-10 20:28:54 0 d-----w- c:\docume~1\jvfurr\applic~1\uTorrent
2009-11-10 19:50:33 0 d-----w- C:\TMQuarantine
2009-11-10 04:27:48 0 d-----w- c:\program files\CCleaner
2009-11-10 04:06:15 0 d-----w- c:\docume~1\jvfurr\applic~1\Malwarebytes
2009-11-10 04:06:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 04:05:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 04:05:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-10 04:05:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 18:52:42 0 d-----w- c:\docume~1\jvfurr\applic~1\Research In Motion
2009-10-31 18:43:40 0 d-----w- c:\program files\Roxio
2009-10-31 18:40:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Research In Motion
2009-10-31 18:39:58 0 d-----w- c:\program files\common files\Research In Motion
2009-10-31 18:14:28 256 ----a-w- c:\windows\system32\pool.bin
2009-10-31 18:06:53 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-10-31 18:05:16 0 d-----w- c:\program files\Research In Motion
2009-10-26 03:38:20 176 ----a-w- c:\windows\explorer.exe.config

==================== Find3M ====================

2009-10-21 14:07:36 49664 ----a-w- c:\windows\system32\drivers\l1c51x86.sys
2009-10-08 19:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-28 15:17:47 0 ----a-w- c:\docume~1\jvfurr\applic~1\wklnhst.dat
2009-09-28 01:02:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-27 23:04:31 32 ----a-w- c:\docume~1\alluse~1\applic~1\ezsid.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-05-08 14:07:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 15:40:52.50 ===============

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-20 16:53:58
Windows 5.1.2600 Service Pack 3
Running: 38vkb8lz.exe; Driver: C:\DOCUME~1\jvfurr\LOCALS~1\Temp\pflcrpoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF759887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7598BFE]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1756] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \FileSystem\Fastfat \Fat A12C5D20

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\00000802 -> \Driver\iaStor \Device\Harddisk0\DR0 86ED950C

---- EOF - GMER 1.0.15 ----

#4 User is offline   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 38,974
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 21 November 2009 - 05:55 AM

Hello jvfurr,

P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#5 User is offline   jvfurr 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 12-November 09

Posted 21 November 2009 - 11:15 AM

Here is the log.


ComboFix 09-11-20.04 - jvfurr 11/21/2009 10:29.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.425 [GMT -5:00]
Running from: c:\documents and settings\jvfurr\My Documents\Downloads\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - c:\windows\I386\$OEM$\TEXTMODE\IASTOR.SYS

.
((((((((((((((((((((((((( Files Created from 2009-10-21 to 2009-11-21 )))))))))))))))))))))))))))))))
.

2009-11-21 14:06 . 2009-11-21 01:08 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-21 14:06 . 2009-11-21 01:07 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-21 14:06 . 2009-11-21 01:07 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-21 14:06 . 2009-11-21 01:07 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-21 01:15 . 2009-11-21 01:15 -------- d-----w- c:\documents and settings\jvfurr\Local Settings\Application Data\AVG Security Toolbar
2009-11-21 01:08 . 2009-11-21 01:08 -------- d-----w- C:\$AVG
2009-11-21 01:08 . 2009-11-21 01:08 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2009-11-21 01:08 . 2009-11-21 01:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-21 01:08 . 2009-11-21 01:08 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-21 01:08 . 2009-11-21 01:08 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-21 01:08 . 2009-11-21 01:08 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-21 01:08 . 2009-11-21 01:08 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-21 01:08 . 2009-11-21 12:38 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-21 01:08 . 2009-11-21 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-21 01:07 . 2009-11-21 01:07 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-11-21 01:07 . 2009-11-21 01:07 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-11-21 01:07 . 2009-11-21 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-19 03:04 . 2009-11-19 03:04 -------- d-----w- c:\program files\AVG
2009-11-14 19:56 . 2009-11-14 19:59 -------- d-----w- c:\documents and settings\jvfurr\Local Settings\Application Data\ApplicationHistory
2009-11-12 19:16 . 2009-11-12 19:16 -------- d-----w- c:\documents and settings\jvfurr\Application Data\Windows Search
2009-11-12 18:15 . 2009-11-12 18:15 -------- d-----w- c:\documents and settings\jvfurr\Local Settings\Application Data\Identities
2009-11-12 18:15 . 2009-11-12 18:15 -------- d-----w- c:\documents and settings\jvfurr\Application Data\Windows Desktop Search
2009-11-12 18:09 . 2009-11-12 18:09 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-12 17:52 . 2009-11-14 18:21 -------- d-----w- c:\program files\Windows Desktop Search
2009-11-12 17:52 . 2009-11-12 17:52 -------- d-----w- c:\windows\system32\GroupPolicy
2009-11-12 17:33 . 2009-11-12 17:33 -------- d-----w- c:\windows\system32\URTTEMP
2009-11-12 01:56 . 2009-11-13 00:38 -------- d-----w- c:\documents and settings\jvfurr\Application Data\ASUS WebStorage
2009-11-11 19:39 . 2009-11-11 19:39 -------- d-----w- C:\Novell
2009-11-11 18:58 . 2009-11-11 18:58 3584 ----a-r- c:\documents and settings\jvfurr\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-11-11 18:58 . 2009-11-11 18:58 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-11-11 18:56 . 2009-11-11 18:56 -------- d-----w- c:\program files\MSECACHE
2009-11-11 00:47 . 2009-11-10 23:35 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-10 23:34 . 2009-11-10 23:34 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-10 23:34 . 2009-11-10 23:34 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-10 23:34 . 2009-11-10 23:34 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-10 23:33 . 2009-11-10 23:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-10 23:33 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-10 23:33 . 2009-11-10 23:33 -------- d-----w- c:\program files\Lavasoft
2009-11-10 23:33 . 2009-11-10 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-10 22:56 . 2009-11-10 22:56 -------- d-----w- c:\program files\Microsoft.NET
2009-11-10 22:52 . 2009-11-10 22:52 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-11-10 22:51 . 2009-11-10 22:57 -------- d-----w- c:\windows\SHELLNEW
2009-11-10 22:49 . 2009-11-10 22:49 -------- d-----r- C:\MSOCache
2009-11-10 20:29 . 2009-11-10 20:29 -------- d-----w- c:\program files\uTorrent
2009-11-10 20:28 . 2009-11-10 20:30 -------- d-----w- c:\documents and settings\jvfurr\Application Data\uTorrent
2009-11-10 19:50 . 2009-11-17 15:33 -------- d-----w- C:\TMQuarantine
2009-11-10 04:27 . 2009-11-10 04:28 -------- d-----w- c:\program files\CCleaner
2009-11-10 04:06 . 2009-11-10 04:06 -------- d-----w- c:\documents and settings\jvfurr\Application Data\Malwarebytes
2009-11-10 04:06 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 04:05 . 2009-11-10 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-10 04:05 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 04:05 . 2009-11-10 04:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-09 19:23 . 2009-11-09 19:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-09 18:40 . 2009-11-15 01:01 -------- d-----w- c:\documents and settings\jvfurr\Local Settings\Application Data\volmlb
2009-10-31 18:52 . 2009-10-31 18:52 -------- d-----w- c:\documents and settings\jvfurr\Application Data\Research In Motion
2009-10-31 18:43 . 2009-10-31 18:49 -------- d-----w- c:\program files\Roxio
2009-10-31 18:40 . 2009-10-31 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-10-31 18:40 . 2009-10-31 18:49 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-10-31 18:39 . 2009-10-31 18:40 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-10-31 18:14 . 2009-11-10 20:35 256 ----a-w- c:\windows\system32\pool.bin
2009-10-31 18:12 . 2009-10-31 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-10-31 18:12 . 2009-10-31 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-10-31 18:08 . 2009-10-31 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-10-31 18:06 . 2009-01-09 20:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-10-31 18:05 . 2009-10-31 18:42 -------- d-----w- c:\program files\Research In Motion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 15:53 . 2009-09-27 23:01 -------- d-----w- c:\documents and settings\jvfurr\Application Data\Skype
2009-11-14 18:04 . 2009-05-07 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-13 14:09 . 2009-10-13 12:41 -------- d-----w- c:\documents and settings\jvfurr\Application Data\PrimoPDF
2009-11-12 01:56 . 2009-05-07 14:14 -------- d-----w- c:\program files\ASUS
2009-11-10 23:33 . 2009-09-28 08:04 103024 ----a-w- c:\documents and settings\jvfurr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-10 22:58 . 2009-09-30 13:58 -------- d-----w- c:\program files\MSBuild
2009-10-31 18:49 . 2009-05-07 14:15 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-31 18:12 . 2009-09-28 08:04 -------- d-----w- c:\documents and settings\jvfurr\Application Data\InstallShield
2009-10-31 17:34 . 2009-10-01 20:49 1 ----a-w- c:\documents and settings\jvfurr\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-21 14:07 . 2009-04-09 11:17 49664 ----a-w- c:\windows\system32\drivers\l1c51x86.sys
2009-10-20 01:39 . 2009-10-02 17:14 -------- d-----w- c:\documents and settings\jvfurr\Application Data\U3
2009-10-16 19:11 . 2009-10-16 19:11 50 ----a-w- c:\windows\system32\bridf07a.dat
2009-10-16 19:10 . 2009-10-16 19:10 -------- d-----w- c:\program files\Brother
2009-10-16 19:10 . 2009-05-07 14:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-16 19:08 . 2009-10-16 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-10-13 12:40 . 2009-10-13 12:40 -------- d-----w- c:\program files\Nitro PDF
2009-10-08 19:57 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57 . 2009-04-29 10:54 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56 . 2009-04-29 10:54 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-03 03:37 . 2009-10-03 03:37 -------- d-----w- c:\documents and settings\jvfurr\Application Data\Amazon
2009-10-03 03:31 . 2009-10-03 03:31 -------- d-----w- c:\program files\Amazon
2009-10-01 20:48 . 2009-10-01 20:48 -------- d-----w- c:\documents and settings\jvfurr\Application Data\OpenOffice.org
2009-09-30 17:57 . 2009-09-30 17:57 -------- d-----r- c:\program files\Skype
2009-09-30 17:57 . 2009-05-07 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-09-30 16:43 . 2009-09-30 14:44 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-30 14:44 . 2009-05-07 14:21 -------- d-----w- c:\program files\Microsoft
2009-09-30 14:42 . 2009-05-07 14:20 -------- d-----w- c:\program files\Windows Live
2009-09-30 14:25 . 2009-05-07 14:16 -------- d-----w- c:\program files\Microsoft Works
2009-09-30 13:58 . 2009-09-30 13:58 -------- d-----w- c:\program files\Reference Assemblies
2009-09-30 04:00 . 2009-04-29 11:06 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-30 01:47 . 2009-09-30 01:46 -------- d-----w- c:\documents and settings\jvfurr\Application Data\acccore
2009-09-30 01:44 . 2009-09-30 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2009-09-30 01:44 . 2009-09-30 01:44 -------- d-----w- c:\program files\AIM
2009-09-30 01:44 . 2009-09-30 01:44 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-09-30 01:44 . 2009-09-30 01:44 -------- d-----w- c:\program files\Common Files\AOL
2009-09-29 22:37 . 2009-09-29 22:37 -------- d-----w- c:\documents and settings\jvfurr\Application Data\EeeStorageUploader
2009-09-29 22:34 . 2009-09-29 22:34 -------- d-----w- c:\documents and settings\jvfurr\Application Data\Asus
2009-09-28 15:17 . 2009-09-28 15:17 0 ----a-w- c:\documents and settings\jvfurr\Application Data\wklnhst.dat
2009-09-28 02:50 . 2009-09-28 08:04 -------- d-----w- c:\documents and settings\jvfurr\Application Data\VoiceCommand
2009-09-28 01:44 . 2009-09-28 01:43 -------- d-----w- c:\documents and settings\jvfurr\Application Data\Media Player Classic
2009-09-28 01:42 . 2009-09-28 01:42 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-09-28 01:09 . 2009-09-28 01:09 -------- d-----w- c:\program files\MSXML 4.0
2009-09-28 01:03 . 2009-09-28 01:03 -------- d-----w- c:\program files\JRE
2009-09-28 01:03 . 2009-09-28 01:03 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-28 01:02 . 2009-09-28 01:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 01:02 . 2009-09-28 01:02 -------- d-----w- c:\program files\Java
2009-09-27 23:04 . 2009-09-27 23:04 32 ----a-w- c:\documents and settings\All Users\Application Data\ezsid.dat
2009-09-27 23:04 . 2009-09-27 23:04 -------- d-----w- c:\documents and settings\jvfurr\Application Data\skypePM
2009-09-27 23:01 . 2009-09-27 23:01 0 ----a-w- c:\windows\nsreg.dat
2009-09-23 12:55 . 2009-11-10 23:35 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-11 14:18 . 2009-04-29 10:54 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2009-04-29 10:54 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2009-04-29 10:54 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2009-04-29 10:54 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 17:13 1115392 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1115392]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25626408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-16 630784]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-16 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-23 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-21 2020120]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-03-27 17567744]

c:\documents and settings\jvfurr\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-5-7 376832]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-21 01:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\ASUS\\EzMessenger\\Clotho.exe"=
"c:\\Program Files\\ASUS\\EzMessenger\\EzMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Brother\\Brmfl07a\\FAXRX.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Novell\\GroupWise\\notify.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:Brother Network Scanner

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [11/20/2009 8:08 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [11/20/2009 8:08 PM 161800]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/10/2009 6:35 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/20/2009 8:08 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/20/2009 8:08 PM 360584]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/20/2009 8:07 PM 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [11/20/2009 8:07 PM 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [11/20/2009 8:07 PM 5832712]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [5/7/2009 9:27 AM 54752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1179232]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [3/30/2009 4:28 PM 1533808]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [5/7/2009 8:24 PM 10752]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [11/20/2009 8:07 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [11/20/2009 8:07 PM 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [11/20/2009 8:07 PM 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [11/20/2009 8:07 PM 25736]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [4/1/2009 9:19 PM 39296]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/7/2009 8:19 PM 1684736]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [11/20/2009 8:07 PM 30104]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]
S3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [4/9/2009 6:17 AM 49664]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [5/7/2009 9:35 PM 232872]
.
Contents of the 'Scheduled Tasks' folder

2009-11-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 23:35]

2009-11-21 c:\windows\Tasks\User_Feed_Synchronization-{414BB76E-C0F8-46AE-AB55-F244DA686115}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://eeepc.asus.com/global
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\jvfurr\Application Data\Mozilla\Firefox\Profiles\ye8j063v.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.homepage.dontask, truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-21 10:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5468)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\snmp.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfimon.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
.
**************************************************************************
.
Completion time: 2009-11-21 10:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-21 15:58

Pre-Run: 50,452,045,824 bytes free
Post-Run: 51,504,566,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DAFED07F7C011F315E39C78E2C510586

#6 User is offline   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 38,974
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 21 November 2009 - 11:29 AM

Looks better already :(

Still having redirects?

For now, please run MBAM, update it first and run a full scan. Post me the log when done.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#7 User is offline   jvfurr 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 12-November 09

Posted 21 November 2009 - 12:38 PM

I think the redirects have stopped.
Thank you so much for your help!

jvfurr

Malwarebytes' Anti-Malware 1.41
Database version: 3137
Windows 5.1.2600 Service Pack 3

11/21/2009 12:35:24 PM
mbam-log-2009-11-21 (12-35-24).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 162425
Time elapsed: 1 hour(s), 3 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 User is offline   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 38,974
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 21 November 2009 - 02:34 PM

Hello jvfurr,

UPDATE JAVA
------------------
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u15-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.

  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Push the Posted Image button.
  • Push Posted Image

In your next reply, please include the following:
  • ESET online scan results
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#9 User is offline   jvfurr 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 12-November 09

Posted 22 November 2009 - 07:23 PM

ESET detected this.


C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\iaStor.sys.vir Win32/Olmarik.PY virus deleted - quarantined

#10 User is offline   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 38,974
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 23 November 2009 - 04:00 AM

Hello jvfurr,

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS, GMER (this is a random named file) and RootRepeal
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#11 User is offline   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 38,974
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 26 November 2009 - 06:35 AM

This topic is now closed.

If you are the original topic starter and you need this topic to be re-opened, please send me a PM.

Everyone else, please start a new topic.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users