google re-director and spyware blocker

Hi

Whenever i go into google and enter a search term, the links returned appear at first glance but when you click them, they always open in a new window and sometimes take you to other unrelated pages. I have tried downloading popular spyware/malware tools but it seems this malware blocks them from receiving updates and running as well. So as you can see - very tricky to get rid of. Any help would be greatly appreciated.

DDS post below:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Mark S at 20:01:22.85 on Fri 29/05/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2741 [GMT 10:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Messenger\msmsgs.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
C:\Documents and Settings\Mark S\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.theage.com.au/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [RGSC] c:\program files\rockstar games\rockstar games social club\RGSCLauncher.exe /silent
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Six Engine] "c:\program files\asus\epu-4 engine\FourEngine.exe" -r
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [a-squared] "c:\program files\a-squared anti-malware\a2guard.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: NameServer = 85.255.112.190,85.255.112.232
TCP: {447A21A8-40FE-417A-88CA-D5CD927D2EF8} = 85.255.112.190,85.255.112.232
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marks~1\applic~1\mozilla\firefox\profiles\eb9l65h2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - plugin: c:\program files\google\google updater\2.4.1591.6512\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-11-24 36864]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090522.002\NAVENG.sys [2009-5-23 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090522.002\NAVEX15.sys [2009-5-23 876144]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 a2AntiMalware;a-squared Anti-Malware Service;"c:\program files\a-squared anti-malware\a2service.exe" --> c:\program files\a-squared anti-malware\a2service.exe [?]

=============== Created Last 30 ================

2009-05-27 20:49 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-27 20:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-27 20:43 <DIR> --d----- c:\windows\pss
2009-05-25 23:31 <DIR> --d----- c:\program files\a-squared Anti-Malware
2009-05-24 13:46 <DIR> --d----- c:\windows\system32\appmgmt
2009-05-24 11:02 552 a------- c:\windows\system32\d3d8caps.dat
2009-05-18 21:28 376 ---shr-- C:\autorun.inf

==================== Find3M ====================

2009-05-24 13:46 87,608 a------- c:\docume~1\marks~1\applic~1\inst.exe
2009-05-24 13:46 47,360 a------- c:\docume~1\marks~1\applic~1\pcouffin.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-07 00:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 22:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-03 10:18 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 20:01:36.73 ===============

Hello melbmark30,

Are you a Java programmer or Java developer? Do you use the following programs?
If not, then uninstall them.
Java DB 10.4.1.3
Java™ SE Development Kit 6 Update 11

******************


A new version of HijackThis has now been released, so before you repost your log please download and install the new version by following the instructions here: http://www.download.com/Trend-Micro-Hijack....html?tag=mncol

Note that it is unnecessary to uninstall the old version because the new one will be copied to a different folder.

Let it install in the default folder C:\Program Files\Trend Micro\HijackThis

******************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

******************

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Edited by SifuMike, 30 May 2009 - 09:26 AM.

Hey SifuMike

Thanks heaps for your help. I have attached the new HijackThis 2.02 log, the securitycheck log and the MBAM log.

On the MBAM log, it found a Trojan.DNSChanger (called gxvxccounter). Note though that when I removed it and re-started my PC, windows wouldnt re-start properly (it would hang on the Windows XP Welcome page). I then needed to re-boot the pc again and it started up ok. I repeated this again and the same malware was found again and process repeated exactly (ie welcome screen hung had to re-boot). Not sure if this is part of this malware either.

When I went into IE again, at first it looked to be fine again but after a few google searches the same symptoms appeared.

Cheers
Mark

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````
Windows Firewall Enabled!
SymantecAntiVirusClient
ECHO is off.
Error obtaining update status for antivirus!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````
a-squared Anti-Malware 3.5
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 14
Java™ SE Development Kit 6 Update 11
Java DB 10.4.1.3
Out of date Java installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

Scan took 26 seconds.
`````````End of Log```````````


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:47 AM, on 31/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theage.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe" -r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Unknown owner - C:\Program Files\a-squared Anti-Malware\a2service.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7574 bytes


Malwarebytes' Anti-Malware 1.37
Database version: 2198
Windows 5.1.2600 Service Pack 3

31/05/2009 11:38:52 AM
mbam-log-2009-05-31 (11-38-52).txt

Scan type: Quick Scan
Objects scanned: 83818
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.

Edited by SifuMike, 30 May 2009 - 09:10 PM.
insert log for ease of reading

Hi melbmark30,

Do me a favor and do not attach your logs. It makes it more difficult to read when they are attached.

Are you a Java developer or programmer?
Do you use these programs? If not, then uninstall them

Java™ SE Development Kit 6 Update 11
Java DB 10.4.1.3

Did you run Malwarebytes several times? I want to see the first log of Malwarebytes where it quatentined and deleted the malware. Please post it.

BTW, is this a business, corporate or work computer?

Edited by SifuMike, 30 May 2009 - 09:23 PM.
spelling

Hey SifuMike

Yeah I do some java dev so if I will keep those java apps for now. This is just a home pc. I have attached the MBAM log of the very first time i deleted the malware below. Thanks!

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

29/05/2009 9:31:56 PM
mbam-log-2009-05-29 (21-31-56).txt

Scan type: Quick Scan
Objects scanned: 92640
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.190,85.255.112.232 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{447a21a8-40fe-417a-88ca-d5cd927d2ef8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.190,85.255.112.232 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.190,85.255.112.232 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{447a21a8-40fe-417a-88ca-d5cd927d2ef8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.190,85.255.112.232 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.190,85.255.112.232 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{447a21a8-40fe-417a-88ca-d5cd927d2ef8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.190,85.255.112.232 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\RECYCLER\S-8-4-77-100027732-100005438-100010806-9059.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.

Hi melbmark30,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Symantec AntiVirus before running ComboFix, as it will prevent it from running.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 31 May 2009 - 12:08 AM.

Hey SifuMike

Here is the Combofix log below:

ComboFix 09-05-30.03 - Mark S 31/05/2009 18:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2913 [GMT 10:00]
Running from: c:\documents and settings\Mark S\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mark S\Application Data\inst.exe
c:\windows\system32\drivers\gxvxclqpmetehyijnlqhcvnmnytoyvxtwpxrq.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxctvvmktkftimowpalbpjnskqpkdlsmpyn.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-31 08:35 . 2009-05-31 08:35 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-31 01:30 . 2009-05-31 01:30 -------- d-----w c:\program files\Trend Micro
2009-05-29 13:26 . 2009-05-31 08:51 80136 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-29 12:38 . 2009-05-29 12:38 -------- d-sh--w c:\documents and settings\Mark S\IECompatCache
2009-05-29 12:36 . 2009-05-29 12:36 -------- d-sh--w c:\documents and settings\Mark S\PrivacIE
2009-05-29 12:35 . 2009-05-29 12:35 -------- d-sh--w c:\documents and settings\Mark S\IETldCache
2009-05-29 12:05 . 2009-05-29 12:34 -------- d-----w C:\baa702fff9cd559252f9bb
2009-05-29 12:03 . 2009-05-29 12:03 -------- d-----w c:\windows\ie8updates
2009-05-29 12:02 . 2009-05-12 05:11 102912 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-29 12:01 . 2009-05-29 12:02 -------- dc-h--w c:\windows\ie8
2009-05-29 11:23 . 2009-05-29 11:23 -------- d-----w c:\documents and settings\Mark S\Application Data\Malwarebytes
2009-05-29 11:20 . 2009-05-29 11:20 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-29 11:20 . 2009-05-26 03:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-29 11:20 . 2009-05-26 03:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-29 11:20 . 2009-05-31 01:34 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-27 10:49 . 2009-05-29 09:39 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-27 10:49 . 2009-05-29 09:39 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-25 13:31 . 2009-05-29 09:23 -------- d-----w c:\program files\a-squared Anti-Malware
2009-05-24 03:56 . 2009-05-24 03:57 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-05-24 01:02 . 2009-05-24 01:02 552 ----a-w c:\windows\system32\d3d8caps.dat
2009-05-23 05:30 . 2009-05-29 09:39 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-23 01:43 . 2009-05-24 03:45 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-30 15:26 . 2008-11-24 11:47 20656 ----a-w c:\documents and settings\Mark S\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-29 11:18 . 2008-11-28 10:01 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-29 05:42 . 2008-11-24 09:26 -------- d--h--w c:\documents and settings\Mark S\Application Data\dvdcss
2009-05-24 03:56 . 2008-11-26 07:38 -------- d-----w c:\program files\Google
2009-05-24 03:48 . 2009-02-14 01:18 -------- d-----w c:\program files\WinUAE
2009-05-24 03:46 . 2009-02-09 11:05 47360 ----a-w c:\documents and settings\Mark S\Application Data\pcouffin.sys
2009-05-24 03:46 . 2009-02-09 11:05 47360 ----a-w c:\documents and settings\Mark S\Application Data\pcouffin.sys
2009-05-24 03:46 . 2009-02-09 11:05 -------- d-----w c:\documents and settings\Mark S\Application Data\Vso
2009-05-23 05:22 . 2008-12-15 12:19 -------- d-----w c:\program files\Sierra
2009-05-23 05:21 . 2009-01-31 07:28 -------- d-----w c:\program files\Frets on Fire
2009-04-04 22:32 . 2009-03-21 05:53 -------- d-----w c:\documents and settings\Mark S\Application Data\Apple Computer
2009-04-04 22:24 . 2008-11-28 10:00 -------- d-----w c:\program files\Java
2009-04-04 22:23 . 2009-04-04 22:23 152576 ----a-w c:\documents and settings\Mark S\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-04 04:01 . 2008-11-28 09:34 -------- d-----w c:\program files\Canon
2009-04-04 04:00 . 2009-04-04 04:00 -------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-04-04 03:58 . 2009-04-04 03:58 -------- d-----w c:\program files\Common Files\Canon
2009-04-04 03:28 . 2008-12-10 12:21 -------- d-----w c:\program files\DivX
2009-04-04 03:28 . 2009-04-04 03:28 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-12 10:18 . 2009-03-12 10:18 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2009-03-07 18:34 . 2004-08-04 01:07 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-07 18:34 . 2004-08-04 01:07 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-07 18:33 . 2004-08-04 01:07 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-07 18:33 . 2004-08-04 01:07 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-07 18:32 . 2004-08-04 01:07 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-07 18:32 . 2004-08-04 01:07 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-07 18:31 . 2004-08-04 01:07 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-07 18:31 . 2004-08-04 01:07 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-07 18:31 . 2004-08-04 01:07 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-07 18:22 . 2004-08-04 01:07 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 01:07 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 12:59 . 2009-03-21 05:51 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-05 12:59 . 2009-03-21 05:51 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-03 68856]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2009-01-03 306088]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Six Engine"="c:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2008-06-25 5625344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-20 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-29 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-06-13 16871936]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [24/11/2008 7:13 PM 36864]
S0 thgcbtb;thgcbtb;c:\windows\system32\drivers\kfafvwqn.sys --> c:\windows\system32\drivers\kfafvwqn.sys [?]
S0 vggmculh;vggmculh;c:\windows\system32\drivers\scoqlzg.sys --> c:\windows\system32\drivers\scoqlzg.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-26 03:56]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKLM-Run-a-squared - c:\program files\a-squared Anti-Malware\a2guard.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theage.com.au/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Mark S\Application Data\Mozilla\Firefox\Profiles\eb9l65h2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - plugin: c:\program files\Google\Google Updater\2.4.1591.6512\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 18:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1229272821-1425521274-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:7c,2a,82,20,cc,0b,57,82,4f,9d,fc,b8,d0,d8,6e,ff,26,72,a8,85,7d,
5a,5c,b4,bd,da,69,b6,0d,ae,bd,a0,66,14,46,c6,e5,2c,89,51,d6,ae,38,f3,45,0c,\
"rkeysecu"=hex:22,10,06,d2,98,35,41,63,60,ad,aa,fa,62,90,84,1e
.
Completion time: 2009-05-31 18:59
ComboFix-quarantined-files.txt 2009-05-31 08:59

Pre-Run: 436,808,830,976 bytes free
Post-Run: 437,211,193,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

168 --- E O F --- 2009-05-29 22:28

Hi melbmark30,

You need to disable your SymantecAntiVirus before running ComboFix, as it will prevent it from running.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\system32\drivers\scoqlzg.sys 
c:\windows\system32\drivers\kfafvwqn.sys

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Driver:: 
thgcbtb
vggmculh

Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Hey SifuMilke

Just to confirm, do I have to disable my symantec anti-virus before running this new script or will this new script disable my anti-virus for me? The reason I ask is that I tried and tried but there was no obvious option available to me to disable my anti-virus!

FYI - As I am at work at the moment, It will be a good 8-10 hrs before I can try the above script on my home pc.

Cheers
Mark

Hi Mark,

Just to confirm, do I have to disable my symantec anti-virus before running this new script or

Yes. Disable Symantec anti-virus before running the script.

ComboFix 09-05-30.03 - Mark S 01/06/2009 22:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2785 [GMT 10:00]
Running from: c:\documents and settings\Mark S\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark S\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\kfafvwqn.sys"
"c:\windows\system32\drivers\scoqlzg.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_thgcbtb
-------\Service_vggmculh


((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-05-31 10:25 . 2009-05-31 10:25 14846 ----a-r c:\documents and settings\Mark S\Application Data\Microsoft\Installer\{6F494401-E0D1-41aa-BCDF-4F1252DB1B30}\EPA_Icon.914326BE_BDF9_4068_A4AF_AF1B75093799.exe
2009-05-31 10:25 . 2009-05-31 10:25 -------- d-----w c:\documents and settings\Mark S\Application Data\Netscape
2009-05-31 10:25 . 2009-05-31 10:25 -------- d-----w c:\documents and settings\Mark S\Application Data\Citrix
2009-05-31 08:35 . 2009-05-31 08:35 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-31 01:30 . 2009-05-31 01:30 -------- d-----w c:\program files\Trend Micro
2009-05-29 13:26 . 2009-06-01 12:28 80136 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-29 12:38 . 2009-05-29 12:38 -------- d-sh--w c:\documents and settings\Mark S\IECompatCache
2009-05-29 12:36 . 2009-05-29 12:36 -------- d-sh--w c:\documents and settings\Mark S\PrivacIE
2009-05-29 12:35 . 2009-05-29 12:35 -------- d-sh--w c:\documents and settings\Mark S\IETldCache
2009-05-29 12:05 . 2009-05-29 12:34 -------- d-----w C:\baa702fff9cd559252f9bb
2009-05-29 12:03 . 2009-05-29 12:03 -------- d-----w c:\windows\ie8updates
2009-05-29 12:02 . 2009-05-12 05:11 102912 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-29 12:01 . 2009-05-29 12:02 -------- dc-h--w c:\windows\ie8
2009-05-29 11:23 . 2009-05-29 11:23 -------- d-----w c:\documents and settings\Mark S\Application Data\Malwarebytes
2009-05-29 11:20 . 2009-05-29 11:20 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-29 11:20 . 2009-05-26 03:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-29 11:20 . 2009-05-26 03:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-29 11:20 . 2009-05-31 01:34 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-27 10:49 . 2009-05-29 09:39 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-27 10:49 . 2009-05-29 09:39 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-25 13:31 . 2009-05-29 09:23 -------- d-----w c:\program files\a-squared Anti-Malware
2009-05-24 03:56 . 2009-05-24 03:57 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-05-24 01:02 . 2009-05-24 01:02 552 ----a-w c:\windows\system32\d3d8caps.dat
2009-05-23 05:30 . 2009-05-29 09:39 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-23 01:43 . 2009-05-24 03:45 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-30 15:26 . 2008-11-24 11:47 20656 ----a-w c:\documents and settings\Mark S\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-29 11:18 . 2008-11-28 10:01 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-29 05:42 . 2008-11-24 09:26 -------- d--h--w c:\documents and settings\Mark S\Application Data\dvdcss
2009-05-24 03:56 . 2008-11-26 07:38 -------- d-----w c:\program files\Google
2009-05-24 03:48 . 2009-02-14 01:18 -------- d-----w c:\program files\WinUAE
2009-05-24 03:46 . 2009-02-09 11:05 47360 ----a-w c:\documents and settings\Mark S\Application Data\pcouffin.sys
2009-05-24 03:46 . 2009-02-09 11:05 47360 ----a-w c:\documents and settings\Mark S\Application Data\pcouffin.sys
2009-05-24 03:46 . 2009-02-09 11:05 -------- d-----w c:\documents and settings\Mark S\Application Data\Vso
2009-05-23 05:22 . 2008-12-15 12:19 -------- d-----w c:\program files\Sierra
2009-05-23 05:21 . 2009-01-31 07:28 -------- d-----w c:\program files\Frets on Fire
2009-04-04 22:32 . 2009-03-21 05:53 -------- d-----w c:\documents and settings\Mark S\Application Data\Apple Computer
2009-04-04 22:24 . 2008-11-28 10:00 -------- d-----w c:\program files\Java
2009-04-04 22:23 . 2009-04-04 22:23 152576 ----a-w c:\documents and settings\Mark S\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-04 04:01 . 2008-11-28 09:34 -------- d-----w c:\program files\Canon
2009-04-04 04:00 . 2009-04-04 04:00 -------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-04-04 03:58 . 2009-04-04 03:58 -------- d-----w c:\program files\Common Files\Canon
2009-04-04 03:28 . 2008-12-10 12:21 -------- d-----w c:\program files\DivX
2009-04-04 03:28 . 2009-04-04 03:28 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-12 10:18 . 2009-03-12 10:18 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2009-03-07 18:34 . 2004-08-04 01:07 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-07 18:34 . 2004-08-04 01:07 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-07 18:33 . 2004-08-04 01:07 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-07 18:33 . 2004-08-04 01:07 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-07 18:32 . 2004-08-04 01:07 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-07 18:32 . 2004-08-04 01:07 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-07 18:31 . 2004-08-04 01:07 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-07 18:31 . 2004-08-04 01:07 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-07 18:31 . 2004-08-04 01:07 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-07 18:22 . 2004-08-04 01:07 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 01:07 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 12:59 . 2009-03-21 05:51 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-05 12:59 . 2009-03-21 05:51 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-31_08.58.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-01 12:30 . 2009-06-01 12:30 16384 c:\windows\Temp\Perflib_Perfdata_43c.dat
- 2004-08-04 01:07 . 2009-05-31 08:57 67312 c:\windows\system32\perfc009.dat
+ 2004-08-04 01:07 . 2009-06-01 00:32 67312 c:\windows\system32\perfc009.dat
+ 2004-08-04 01:07 . 2009-06-01 00:32 432356 c:\windows\system32\perfh009.dat
- 2004-08-04 01:07 . 2009-05-31 08:57 432356 c:\windows\system32\perfh009.dat
+ 2008-11-10 01:51 . 2008-11-10 01:51 312728 c:\windows\Downloaded Program Files\portfoliomanagerwt.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-03 68856]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2009-01-03 306088]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Six Engine"="c:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2008-06-25 5625344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-20 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-29 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-06-13 16871936]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [24/11/2008 7:13 PM 36864]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-26 03:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theage.com.au/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {EC0403E0-9158-4CF8-A2B6-3C62C3B9B6B7} - hxxps://go.colesgroup.com.au/CitrixLogonPoint/SRA/EPAClient/EPAClient.exe
FF - ProfilePath - c:\documents and settings\Mark S\Application Data\Mozilla\Firefox\Profiles\eb9l65h2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - plugin: c:\program files\Google\Google Updater\2.4.1591.6512\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-01 22:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1229272821-1425521274-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:7c,2a,82,20,cc,0b,57,82,4f,9d,fc,b8,d0,d8,6e,ff,26,72,a8,85,7d,
5a,5c,b4,bd,da,69,b6,0d,ae,bd,a0,66,14,46,c6,e5,2c,89,51,d6,ae,38,f3,45,0c,\
"rkeysecu"=hex:22,10,06,d2,98,35,41,63,60,ad,aa,fa,62,90,84,1e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3604)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\rundll32.exe
c:\program files\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Completion time: 2009-06-01 22:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-01 12:33
ComboFix2.txt 2009-05-31 08:59

Pre-Run: 437,116,854,272 bytes free
Post-Run: 437,142,392,832 bytes free

193 --- E O F --- 2009-05-29 22:28

Hi Mark,

Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• In the drop down box labeled Files of type change the type to Text file.
• Save the file to your desktop.
• Copy and paste that information in your next post.

This scanner will only scan. It does not remove any malware it finds.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, June 3, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, June 03, 2009 08:31:45
Records in database: 2300885
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 85028
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 01:11:36


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B600000.VBN Infected: Trojan-Downloader.Win32.Small.jqv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BF00000.VBN Infected: Trojan.Win32.Tdss.acdc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E340000.VBN Infected: Trojan-Downloader.Win32.VB.jub 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gxvxclqpmetehyijnlqhcvnmnytoyvxtwpxrq.sys.vir Infected: Rootkit.Win32.Agent.kvr 1
C:\System Volume Information\_restore{154EC009-1AC6-4EA7-AE4D-F7E7BDF812DF}\RP174\A0024352.sys Infected: Rootkit.Win32.Agent.kvr 1

The selected area was scanned.

Hi Mark,


Kaspersky scan looks good. Everything it found was either previously quarentined or in the System Restore folder. We will be resetting the System Restore folder when we finish.

How is the computer running?

We still have to do some program clean up.

Hey Mike

Looking excellent. Google searches look legit now! Thanks!! So is there more I need to do now?