Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Avast Disabled, Searches Redirected, Services Crashing

  • This topic is locked This topic is locked
2 replies to this topic

#1 Xagest


  • Members
  • 1 posts
  • Local time:07:47 PM

Posted 11 February 2010 - 02:13 AM

A friend sent me his computer for me to diagnose, and so far the usual methods haven't been working. MalwareBytes produces nothing, and Avast's bootscan brings up nothing. There's nothing suspicious in the HiJackThis log as far as I can tell, either. I've also used Spybot S&D.

Anyway, this bug seems to have disabled my Avast On Access Protection permenantly. It redirects google searches to adware sites. It deleted the System Restore files. Also, I get crashing services that prompt for computer restarts (DCOM and Plug and Play). I suspect I have a rootkit, but you guys can probably guess better.

I also noticed that if I try to do a windows update to Vista SP2, I get thrown into a STOP 7B blue screen error. I'm only able to get out of this from a set of registry keys I've backed up. Don't know if that's related, but I had to disable windows update to prevent SP2 from installing

DDS (Ver_09-12-01.01) - NTFSx86
Run by TR PLASTER at 23:43:45.10 on Wed 02/10/2010
Internet Explorer: 8.0.6001.18882
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://ww2.cox.com/myconnection/arizona/home.cox
uSearch Bar =
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\myesse~1.lnk - c:\program files\my essentials\usb me1001-usb\wireless utility\O-Maxwcui.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-02-11 05:41:41 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-02-11 04:46:52 0 d-----w- c:\program files\Sophos
2010-02-11 02:08:28 58962784 ----a-w- c:\windows\system32\confi.reg
2010-02-11 01:15:45 98816 ----a-w- c:\windows\sed.exe
2010-02-11 01:15:45 77312 ----a-w- c:\windows\MBR.exe
2010-02-11 01:15:45 261632 ----a-w- c:\windows\PEV.exe
2010-02-11 01:15:45 161792 ----a-w- c:\windows\SWREG.exe
2010-02-11 01:15:28 0 d-s---w- C:\ComboFix
2010-02-11 00:19:33 0 d-----w- c:\windows\system32\SPReview
2010-02-09 01:58:49 0 d-----w- c:\program files\TrendMicro
2010-02-09 01:54:06 0 d-----w- c:\program files\Microsoft
2010-02-09 01:54:04 0 d-----w- c:\program files\MSN Toolbar
2010-02-09 01:53:34 0 d-----w- c:\program files\MSN Toolbar Installer
2010-02-08 22:41:49 0 d-----w- c:\windows\system32\drivers\backup
2010-02-02 04:36:02 0 d-----w- c:\windows\system32\EventProviders
2010-02-02 04:34:55 0 d-----w- c:\users\trplas~1\appdata\roaming\Malwarebytes
2010-02-02 04:34:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 04:34:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 04:34:49 0 d-----w- c:\programdata\Malwarebytes
2010-02-02 04:34:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-02 01:32:31 0 d-----w- c:\program files\Ad-Aware SE Personal
2010-01-30 02:56:17 53328 ------w- c:\windows\system32\drivers\aswMonFlt.sys
2010-01-30 02:28:48 212 ----a-w- c:\windows\wininit.ini
2010-01-30 01:51:42 0 d-----w- c:\programdata\Alwil Software
2010-01-13 07:43:30 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 07:43:29 72704 ----a-w- c:\windows\system32\fontsub.dll

==================== Find3M ====================

2010-02-11 00:25:38 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-02-11 00:25:38 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-11 00:25:38 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-11 00:23:08 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-14 18:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-26 09:39:43 4609 ----a-w- c:\windows\1z90backdoor5325.dll
2009-12-21 14:02:04 8106 ----a-w- c:\windows\system32\671hac9zoo588.bin
2009-12-21 09:43:42 5990 ----a-w- c:\windows\20553spamb9taz.dll
2009-12-20 13:53:55 15809 ----a-w- c:\windows\system32\9da6zparse58.dll
2009-12-19 20:16:20 10899 ----a-w- c:\windows\system32\z87dthre5t92529.exe
2009-12-19 07:18:13 11058 ----a-w- c:\windows\4515a9dzare3137.dll
2009-12-18 01:18:15 15145 ----a-w- c:\windows\system32\9a39spar5e2295z.bin
2009-12-17 08:31:29 15457 ----a-w- c:\windows\system32\6b89viz31735.dll
2009-12-16 09:12:32 10553 ----a-w- c:\windows\system32\383sp955z.exe
2009-12-14 02:15:19 15272 ----a-w- c:\windows\65dczddwar95725.bin
2009-12-13 19:54:07 5331 ----a-w- c:\windows\system32\14729sp5mbzt628.bin
2009-12-11 09:09:12 4782 ----a-w- c:\windows\system32\9zaddw5re2703.dll
2009-12-09 14:28:37 14828 ----a-w- c:\windows\system32\30z99wor5430.dll
2009-12-06 04:44:09 15072 ----a-w- c:\windows\41b9s5eal55z.exe
2009-12-06 00:56:16 15907 ----a-w- c:\windows\90za5dware1827.bin
2009-12-03 21:21:04 15333 ----a-w- c:\windows\system32\90395trzj65d.dll
2009-12-02 18:29:14 13593 ----a-w- c:\windows\9a58spa5sz1470.dll
2009-12-01 00:06:09 9354 ----a-w- c:\windows\system32\2z906troj65b9.bin
2009-11-23 19:09:55 7252 ----a-w- c:\windows\715cvzr997.exe
2009-11-23 17:00:45 5662 ----a-w- c:\windows\system32\9459s5y2zd.bin
2009-11-20 21:23:07 6749 ----a-w- c:\windows\19671z5t-a9virus4db.bin
2009-11-20 13:32:05 2716 ----a-w- c:\windows\system32\97624zorm5a9.exe
2009-11-16 21:55:57 11744 ----a-w- c:\windows\4215vzr25669.dll
2009-11-16 13:23:45 15569 ----a-w- c:\windows\4a1zth5eat179469.dll
2009-11-16 11:33:11 5950 ----a-w- c:\windows\system32\96159yware2z95.bin
2009-11-16 08:05:50 5698 ----a-w- c:\windows\5254steaz899.exe
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 23:44:44.91 ===============

Attached Files

BC AdBot (Login to Remove)


#2 myrti



  • Malware Study Hall Admin
  • 33,779 posts
  • Gender:Female
  • Location:At home
  • Local time:02:47 AM

Posted 17 February 2010 - 05:19 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
[We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 myrti



  • Malware Study Hall Admin
  • 33,779 posts
  • Gender:Female
  • Location:At home
  • Local time:02:47 AM

Posted 06 March 2010 - 04:28 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users